Publishing Exploits Does More Harm Than Good, Kenna Security Research Finds

May 13, 2021

Share with Your Network

Disclosure of Exploit Code Before Patch Availability Gives Threat Actors A Massive Head Start


SANTA CLARA, Calif., May 13, 2021 — Cybersecurity researchers and “white-hat” hackers that publicize exploit code used in cyberattacks are giving a clear and unequivocal advantage to attackers, new research has found. The research, Prioritization to Prediction, Volume 7: Establishing Defender Advantage conducted by Kenna Security, the enterprise leader in risk-based vulnerability management, and Cyentia Institute, offers a definitive answer to one of the longest-running debates in cybersecurity. 

“This data-driven research, built over the course of several years, should remove any doubt,” said Ed Bellis, founder and chief technology officer of Kenna Security. “Practices that have long been central to the cybersecurity ecosystem, that many of us thought were beneficial, are in fact harmful to defenders.” 

The findings are explained in Kenna’s latest report, Prioritization to Prediction, Volume 7: Establishing Defender Advantage.

For years, the cybersecurity industry has relied on “white hat” hackers to identify potential vulnerabilities and develop exploit code to prove that security flaws are more than theoretical. About one-third of the time, that code is made publicly available before a software developer can make a patch available. For decades, software developers and security researchers have debated whether the practice improves overall security because it identifies vulnerabilities and motivates security teams to patch them, or if the practice gives attackers advantage because it essentially offers a road map for attacks. 

The research found that when exploit code precedes a patch, attackers gain a 98-day advantage over defenders – that is, attackers deploy the exploit against more assets than defenders can mitigate for more than three months. 

The release of exploit code also drives a massive volume of exploits. Just 1.3 percent of vulnerabilities have been exploited in the wild AND have publicly available exploit code. But vulnerabilities that fall into that tiny category are exploited, on average, 15-times more frequently than those that don’t, and they are used against six times as many companies.  

The analysis also found that:

  • It takes organizations 40 times longer to fix vulnerabilities on Linux and SAP software (about 900 days) than it does Google and Microsoft products (about 22 days). 
  • When a published exploit allows remote code execution, it is used 30-times more frequently.
  • Public exploit code exists for just 6.5 percent of vulnerabilities, but for the majority of them, there is no evidence of exploitation in the wild.
  • For approximately two-thirds of exploitations observed in an enterprise environment, there is no known published exploit code, though many exploitations (such as SQL injection) do not require code. 

“What we see is that the availability of exploit code drives both a volume of exploitation and makes it easier for hackers to deploy the types of attacks most likely to cause serious damage to an enterprise,” said Wade Baker, partner, and co-founder of Cyentia Institute. “When exploit code is integrated into hacking tools – both legitimate and malicious – it becomes faster and cheaper to find and exploit security weaknesses.” 

Researchers eliminated several competing hypotheses to support their conclusion. They found little evidence that the release of exploit code facilitated earlier detection of active exploits, nor did they find that it motivated faster mitigation. 

Typically, security researchers will disclose vulnerabilities and exploits to software developers and give the developer time to offer a patch, a process known as security disclosure. But often, researchers may make details about the vulnerability, including working exploit code, available to the public. 

“While there is no shortage of opinion on every side of the disclosure debate,” said Jay Jacobs, partner and co-founder of Cyentia Institute, “very little objective research has been done on both the potential benefits and harm caused by well-intentioned security researchers releasing weaponized exploit code. The data provides clear guidance to the security community: publicly sharing exploit code benefits attackers more than defenders.”


Additional Resources


About Kenna Security

Kenna Security is the enterprise leader in risk-based vulnerability management. The Kenna Security Platform enables organizations to work cross-functionally to determine and remediate cyber risks. It leverages machine learning and data science to track and predict real-world exploitations, empowering security teams to focus on what matters most. Headquartered in Santa Clara, Kenna serves nearly every major vertical and counts CVS, KPMG, and many Fortune 100 companies among its customers.



Media & Analyst Contact: 
Matt McLoughlin
Gregory FCA for Kenna Security
Phone: 609-385-2058



© 2022 Kenna Security. All Rights Reserved. Privacy Policy.