Comment by Leherenn

5 years ago

What makes it less of an issue for black hats? Do they have access to symbols/source code that security researchers do not/are not willing to use?

I certainly understand the frustration for legitimate researchers, and there's plenty to be said about having the source code available to make auditing easier but in itself it seems that making a black hat take 6 months instead of 1 to create an exploit raise the skill/patience level needed and busy them for while where they are not working on the next exploit.

2 comments

Leherenn

Reply
saagarjha  5 years ago

Yes: black hats have much more incentive and generally larger, more focused teams to find these bugs, and they aren't concerned with the issues of buying stolen devices and source code on the black market. (If you're curious, search for "dev-fused iPhone" and "iBoot source code". The Project Zero team works from about the worst situation possible, choosing to even forgo using services like Corellium.)