Does publishing exploit code prior to a patch help software security?
Moore: Until there’s actually a public proof-of-concept available for a given exploit or for a given vulnerability it’s anyone’s guess what the real impact is. Sometimes you have vulnerabilities that look really bad on the surface where it says anyone can run code on your computer but when you actually get down to brass tax and try to exploit it you find that there’s all these limitations. If you have data execution prevention (DEP) enabled or if you’re running this platform or that platform or running in this configuration or that configuration it’s really not a big issue at all. So by having a platform that people can use to test these vulnerabilities and verify the real impact of these software flaws it gives people more confidence about not only what they should be doing on the network but whether what they already have in place is working correctly or not. About how many exploits and payloads are available in Metasploit right now? Moore: Everyday it goes up by a couple. I think we
