Recently we have seen that intelligence agencies are well aware of zero day exploits on many operating systems by the large number of leaked documents by Wikileaks and others in the security space. Seemingly security researchers and intelligence agencies are holding onto these vulnerabilities so that they can use them against their adversaries. In today's blog post we wanted to run a scenario by you and get your opinion on whether security companies should hold onto vulnerabilities or if they should go public with the data as soon as exploits are discovered. This becomes increasingly important as these exploits are worth money to intelligence agencies, security researchers and malicious actors that use them to create money through any number of nefarious means.
Recently during a JPM (Jigsaw Protection Model) audit our engineers discovered a very easy to execute and common method for taking over Windows machines with installed antivirus products of which we won't name. The exploit is trivial and results in a complete system compromise but we don't believe that the exploit is being used in the great Internet wars of 2017. That being said it brought up a lively discussion within Jigsaw as to whether we should disclose the vulnerability or sit on it. The end result is that we will be sending the information to 5 different antivirus manufacturers to see if they can patch their products but the discussion that was had within the walls of our compound were very interesting. We heard everything from "let's sell the exploit to the highest bidder" (not my first choice) to the let's submit this to DHS to the "let's turn this on threat actors" (I doubt they even use Windows or Antivirus for that matter).
We would like to get your opinion. The best response to this weeks post will win the very first Jigsaw Premier Sensor to be released next week to coincide with Blackhat 2017. We may even through in a mouse pad and T-Shirt for your troubles or send out a few extra depending on our response. So let us know your thoughts on Twitter with the hadhtag #jigsawcontest and we will pick the winner at the opening of Blackhat and announce the winner here on the Jigsaw blog.
As a side note we thought we would do our annual disclosure for you in this post as well:
Number of National Security Letters Received: 0
Number of Target Letters Received: 0
Number of Subpoenas Received: 1
Number of Zeroday Exploits Found: 2
Number of Zeroday Notifications to Date: 1
If you do the math you can see that we are sitting on one of the exploits in part because we don't really know if it's a Windows exploit or an Antivirus exploit. The jury is out but rest assured we have notified the appropriate vendors. If they fail to respond we will publicly disclose the exploit at Blackhat 2017.