Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

Breaking something is easier than protecting everything from all fronts.

Hackers write the worst code, but all the mess needs only one successful hit to become a 0day.



Instead of making a website about it, you can take any step of your exploit chain and change the code that exploit cannot possibly work, and submit that as patch. You would still get a CVE number assigned that you can add to your resume.

For example, look at the glibc/iconv CVE some other user posted[1]. In the section "Out-of-bound write when converting to ISO-2022-CN-EXT" they have mapped out the boundary checks. By diagnosing the problem this detailed, they already did 90% of the work. The other 10% are the patch and writing to the mailing list.

[1] https://www.ambionics.io/blog/iconv-cve-2024-2961-p1


Making a website about it benefits other people; finding the vulnerability helps other people; even if its 10%, why can’t someone else do it?

Surely someone doing all this would already have submitted a patch if they felt comfortable.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: