Exodus Intelligence, revealing how vulnerable top FLOSS are, may be doing the greatest service to privacy since Snowden.
They are finally making clear – to all to mainstream tech writers, privacy tech tools users and developers – that software should be much more audited relative to complexity, which means large investments and/or huge much expanded volunteer participation.
Sure a zero day market should not exist and but it always will and will keep growing as it cannot be stopped. No major country will make it illegal to kit disclose a discovered zero day because every other major country would continue to stockpile them.
We are fortunate some in that market see economic convenience in releasing such info (and apparently in responsible).
The only very major objection to Exodus Intelligence is that they haven’t gone nearly far enough as there are so many potential vulnerabilities at the firmware and hardware level which they do not mention.
I’d argue they know very well given their general competencies. But, possibly they haven’t because they cannot provide any services in that area, and it is in their best interest to underestimate such threat to increase the perceived value of their software-level zero-days for defensive purposes.
Unfortunately, we may never see a similar company coming out for hw-level zero-days as it would have to be upper echelons of US state security agencies or highest-clearance execs in dominant mainstream processor and hardware makers, as well as major world foundries.
To start moving to solve those vulnerabilities we’ll have to rely on their proven feasibility, the opinion of the world-highest experts persons and bodies, and other supporting evidence. We’ll look at that in a future post.