The economics of proving exploitability
Disclaimer This is still a draft, and I’m planning to revise and edit it, such as changing some of the first person phrasing in places. (Or I might not and just remove this disclaimer)
It depends When a security researcher or engineer discovers a new vulnerability, what should they do about it? Should we prove exploitability, go part of the way there, or just fix the bug? As with so many things, the answer is “it depends”.
read more