.png)
Many in the cybersecurity world still grapple with understanding the dynamics of zero-day vulnerabilities and why they're so prevalent. There's a common misconception that the longer a vulnerability remains unpatched, the more severe the threat. But the reality is far more nuanced, and it's a reality that experienced pentesters leverage to fortify our digital defenses.
As a CTO, and someone who's been immersed in the world of cybersecurity for decades, I can confidently state that virtually every skilled pentester I've worked with or mentored over the years possesses a small cache of zero-days–undisclosed vulnerabilities and accompanying proof-of-concept exploits ready for use in future penetration tests. This might sound concerning for some, but it's actually a testament to their deep expertise and efficiency in protecting organizations.
I'd estimate that a senior pentester with a decade of experience, consistently uncovering bugs for Fortune 500 companies and other tech giants, likely has a dozen critical vulnerabilities, double that for high-risk vulnerabilities, and hundreds of lesser ones. These findings often reside on their hard drives or within attack scripts, ready to be used to elevate system privileges, “pop boxes”, and deliver more compelling and impactful findings to their clients.
Why Do Pentesters Hold Onto 0-Days? It's All About Strategic Impact.
Several reasons explain why a pentester might be sitting on zero-days, and each points to a strategic approach to security:
- Client-Driven Decisions: Sometimes, a pentester discovers a vulnerability during a client engagement and discloses it to the client. The client might then decide how best to handle disclosure, perhaps opting for a coordinated approach to ensure their systems are patched first. In these cases, the client owns the vulnerability and dictates the next steps for remediation, often with the goal of maximizing their security before public disclosure. From my experience with "high-risk" bugs, roughly half of the clients ask the pentester to lead the vendor disclosure. About 20% choose to alert the vendor themselves, another 20% intend to but never do, and a small 10% explicitly instruct the pentester not to inform the vendor, citing other plans for the vulnerability, which could include proactive internal patching or strategic timing for disclosure.
- Beyond the Scope, Unearthing Deeper Insights: A vulnerability might not be critical on its own within a customer's environment. It might require chaining with other bugs and attack vectors to become a reliable exploit. While the initial discovery might happen on a client's dime, the deeper work often occurs outside the engagement. This extended research allows pentesters to uncover more complex attack paths and provide clients with a comprehensive understanding of their true risk, even if the original finding didn't warrant immediate panic.
Independent Research: Fueling Future Protections: Pentesters often identify intriguing devices or software "out of scope" of a client engagement, or they uncover vulnerabilities through private research. These bugs remain dormant until the pentester can test them against a "live" client environment in the future. This ongoing research is crucial; it means pentesters are constantly expanding their knowledge base and developing new ways to identify and mitigate risks, ultimately benefiting all their future clients. - The Nuance of Disclosure, Ensuring Effective Remediation: Disclosing a vulnerability to a vendor can be a complex, unpaid, and time-consuming chore. Furthermore, the vulnerable application or hardware might only be accessible within a specific client's environment. Vendors typically require detailed information—like patch versions, configuration files, packet captures, or proof-of-concept code—to verify and develop a fix. Pentesters may not have this information readily available, or the exploit code developed during a client engagement might be proprietary to the client. This highlights the practical challenges of disclosure and why strategic timing and complete information are vital for successful remediation.
Navigating the Ethics of 0-Days: Building Trust and Stronger Defenses
Holding onto zero-day vulnerabilities raises common ethical questions, but the answer often points to transparency and client commitment. What happens, for instance, when a pentester discovers the same vulnerability on another client's infrastructure?
The answer is quite straightforward: transparency and client protection are paramount. If Client B has paid the pentester to find vulnerabilities, it would be unethical for the pentester to withhold a finding simply because they first discovered it during Client A's engagement. Absolutely not! Each pentest and its findings are distinct to the client, ensuring that every client receives the full benefit of the pentester's expertise.
Consider this hypothetical scenario: A pentester is commissioned by Client A to find vulnerabilities in a firewall appliance. After a week of investigation, they uncover a couple of critical vulnerabilities, each taking about 10 hours to discover, prove, and develop an exploit. Upon receiving the final report, Client A decides to handle the disclosure process themselves—meaning, they intend to keep it quiet, perhaps to ensure their own patch development is complete.
A few months later, the pentester works on an engagement for Client B, who happens to be using the same firewall. The pentester conducts their usual investigation, but also checks for the vulnerabilities they suspect to be present. This check for the two critical vulnerabilities might only take five minutes to assess and confirm, significantly less time than the initial discovery. The final report to Client B lists all the vulnerabilities, including the two "0-days." Client B now also owns all the findings within their report.
If Client B wishes for these two 0-days to be disclosed to the vendor for a fix, that must happen. Under no circumstances could the pentester ethically withhold those findings from the client. However, if the pentester wants to retain Client A for future work (or avoid any perceived "breach of contract"), I've found it's generally acceptable and "good form" to inform Client A that the same vulnerabilities have surfaced elsewhere and that another client is proceeding with disclosure. This open communication fosters trust and ensures responsible security practices across the board.
The Value of Experience: A Catalyst for Advanced Security
One of the significant benefits of hiring an experienced senior pentester is that they possess a wealth of "0-days." This knowledge makes them incredibly efficient at finding bugs and flaws in their clients' networks. It's not just about finding vulnerabilities; it's about leveraging deep knowledge to pinpoint weaknesses faster and more effectively. In fact, asking a pentester about the number of 0-days they're sitting on can be an excellent indicator of their efficiency and experience, showcasing their capacity to drive immediate and long-term security improvements.
This unique expertise possessed by top pentesters is a powerful asset in the ongoing effort to build a more secure digital world. By understanding their methods and the value of their accumulated knowledge, organizations can make more informed decisions and invest in the proactive security measures that genuinely make a difference.
Discover the elite team of security experts behind our Cobalt Offensive Security Platform and learn how they can strengthen your defenses. Learn more about our Cobalt Core.
