Inside New York City’s Cyber Command. Despite debate in the threat intel community, a new study finds that publishing exploits before patches are available does more harm than good. (New York University)

A new study quantifying the benefits and dangers to security when exploits are published before patches found a lot of the latter and little of the former.

There is a counterintuitive debate over whether researchers or criminals releasing exploit code as soon as a vulnerability is discovered is actually beneficial. Advocates believe that posting exploits helps in penetration testing, provides an incentive to patch and generally makes a vulnerability seem more tangible. Detractors note that exploit code can be reappropriated by hackers, including those who otherwise may not have the ability to generate the code themselves.

“This debate has raged on ever since I’ve been working in security 20 some years ago,” said Jay Jacobs, co-founder and partner at the Cyentia Institute. “This is a first really nice swing at doing research and bringing data to this discussion, and this data is rather clear.”

Kenna Security and the Cyentia Institute analyzed data for 13 million assets to see how publishing exploits impacted security outcomes. They found publishing exploits had very little impact on whether organizations applied fixes and releasing exploits pre-patch left longer gaps between the publishing of a vulnerability and the creation of defensive signatures.

The new report released Thursday builds on a series of previous studies Kenna and Cyentia have done together on the subject. It takes a hard look at three key hypotheses: that published exploits encourage fixes, that published exploits improve defense and that published exploits accelerate breaches.

The report found that network defenders were almost exactly as likely to mitigate a problem when an exploit had been released before the patch. If an exploit was released first, a median of 46.3% of systems were patched in the first three months, a cumulative 57.5% after six months and 67.8% after 12 months. Patches were actually more common when the first exploit was released after the patch, although only marginally so, and remediation followed the same curve (49.1% at three months, 59.3% at six and 70.6% at 12 months).

The data also showed that the time between a patch being released and the release of signatures for a vulnerability ballooned when exploits were released before the patch. When the exploit was released first, the time to signature was mostly spread out over the first month, with a median of 27 days. When the patch preceded the exploit, the times to create signatures were densely packed around the median of four days.

Hackers are dramatically more likely to target vulnerabilities when an exploit is published, according to the study. Vulnerabilities with exploit code were exploited 15 times more often than those without.

“Of the results, this was actually the least surprising,” said Ed Bellis.

Whether or not the data demonstrates the lack of benefit – both Bellis and Jacobs are pretty sure it does – Jacobs is pessimistic that having data will dramatically alter a deeply entrenched debate.

“I think all of us know data is not always the most convincing argument to some people,” he said. ‘But it is a reference point. And I hope when people try to push for publishing exploit code that this research is at least referenced and part of that discussion.”