Symantec Buys SecurityFocus, among others.

[full-disclosure () lists netsys com (Steve)]

> Release exploits with the vaguest of descriptions as to how they work 
> (lost for examples -- just copy'n'paste the "technical bits" of some 
> of the security bulletins from MS...).  Have the _only_ PoC code a 
> compiled binary loaded with copyright notices forbidding reversing, 
> etc.  Be sure to use some "encryption" (extremely trivial is OK as 
> complexity doesn't matter; can you say XOR?) in the PoC to "protect" 
> the important secret (generally the overflow "string" itself).  Be 
> capricious in who you prosecute under the DMCA for incoporating 
> vulnerability detection of this flaw into their products.  (Many 
> other "pro-reversing" laws allow reversing if doing so is the only 
> (practical) way to ensure compatibility or system inter-operation -- 
> this should not be a defense against reversing a security 
> vulnerability exploit...)


But how could you stop one from simply setting up a sniffer to "see"
what the exploit does on the network or monitor the local system to see
what is done?  I am all for people releasing exploit code, I see no
reason not to, but trying to protect it is a waste of time as there are
a million ways, legal ways, around it.