Comment by computersuck
Comment by computersuck 2 days ago
It's about the barrier to entry and amount of effort to exploit something. When public information comes out about a vulnerability that can't be patched in a reasonable amount of time (due to EOL or some other reason), the bad actors have the upper hand.
Giving ransomware actors free bugs for mass exploitation when they are unlikely to be patched is just putting innocent users in harms way. It doesn't really make a dent in the shit vendors' profits, so the only other motives are 1) to show off your cool research or 2) protest ridiculous EOL deadlines (which sure, might make a difference).
You’re assuming bad actors don’t already know about these zero days. You have to assume any possible vulnerability is already being exploited. Publishing zero days in EOL devices reduces the information asymmetry.