Forum Thread: Is It Ethical to Keep a Zero Day for a Competition?

Is It Ethical to Keep a Zero Day for a Competition?

I have found a zero day on a server that the local hacking league uses for most of their scenarios during competitions. It isn't huge or anything but it does help me get in and I am hoping to get it working with some MSF payload. My question is, is it ethical for me to keep this zero day a secret so I can use it during my competition or should I report it now?

5 Responses

Ethical hackers keep their 0day to themselves all the time. Check out this killer "0day" that a hacker saved until Blackhat this year: "Funtenna"

I would say the benefits of keeping it to yourself for a convention is more "fame or fortune" motivation but there are plenty of ethical reasons to keep 0 day to yourself.

Namely, even if you aren't the first to know about it, it isn't widely known so it isn't being widely exploited. Maybe you want to keep it to yourself or a small group to develop a patch first and then release the exploit. Maybe you release the exploit to persuade (coerce) the vendor to release a patch for their software.

Bottom line is, it's up to you and your own definition of right or wrong. When yo do release it, please write a tutorial.

It is still in the early stages, I haven't even done more than manually do the exploit. If I get it good enough I can post it here.

it might not be a zero day anymore when the competition comes.

i think personally that keeping a 0day hidden is a crime. mostly because:

1.) you don't give companies the chance to fix this hole, thus putting the privacy of thousands of people at risk.

2.) a 0day is some kind of knowledge too. and like i often say: "knowledge is what makes us humans what we are, and thus, if you deny knowledge to anyone, you shouldn't be considered as a human being"

but this mostly a question about morals instead of ethics. technically, it is legal to keep your 0days private, but it is simply "not done".

i guess it is fine to keep this exploit of yours hidden until the contest, but be aware that keeping this exploit private for that certain contest may be qualified as cheating!

and like anons4animals mentioned, your 0day may no longer be a 0day when the competition comes.


I was kinda thinking submitting it because it is a security hole but on the other hand it isn't anything huge or super dangerous, just something to give me an edge.

Share Your Thoughts

  • Hot
  • Active