I Don’t Like Your Proof-of-Concept

Proof-of-Concept exploits (PoCs) are critical to getting concrete information about vulnerabilities and are the primary way to get real additional data about risk. Unfortunately, most PoCs are not very good.

This talk will cover the in-depth do's and don'ts of all of the most common things that make PoCs frustrating, annoying, or factually incorrect that the VulnCheck Initial Access Intelligence team sees daily in our role reproducing bugs and N-days. The issues discussed will cover exploit design fundamental issues, to stylistic choices that are ubiquitous, to how the choices made by the security community hinder quick action. We will also highlight some of the most egregious examples seen in the wild that have lead to widespread false information and nearly universal incorrect signature creation that leaves organizations open to attacks.

After, the team will discuss the best ways the community can elevate some of the most important and time-sensitive work and how our team isolated and built solutions for those common PoC issues and demonstrate the side-by-side reasoning for why some choices are better than others. This will show how a framework for designing and building PoC exploits can improve both the development experience for researcher and outputs for consumers of the data to make everyone happy.