HN
Today

Anonymous GitHub account mass-dropping undisclosed 0-days

An anonymous GitHub user, 'bikini,' has unveiled 'exploitarium,' a public repository containing numerous proof-of-concept exploits for previously undisclosed 0-day vulnerabilities. The author provocatively states this mass disclosure is meant to attract new talent to cybersecurity research, inviting others to report the bugs and claim CVEs. This audacious move stirs considerable discussion, highlighting the tension between full disclosure, responsible reporting, and the ethics of publicizing live vulnerabilities.

9
Score
0
Comments
#1
Highest Rank
4h
on Front Page
First Seen
Jun 27, 3:00 PM
Last Seen
Jun 27, 6:00 PM
Rank Over Time
18311

The Lowdown

An anonymous security researcher, operating under the GitHub handle 'bikini,' has published 'exploitarium,' a repository housing a significant collection of proof-of-concept (PoC) exploits for what they claim are undisclosed zero-day vulnerabilities. The author's stated intention is to 'allure people into the field' of vulnerability research, encouraging others to take these PoCs, report the vulnerabilities, and potentially claim CVEs for themselves. This unconventional approach to vulnerability disclosure has been met with both intrigue and debate within the cybersecurity community.

  • The exploitarium repository aggregates both former standalone PoC projects and newly added research entries.
  • It includes vulnerabilities affecting a wide range of software, such as 7-Zip, AnyDesk, c-ares, Docker, Firefox, FFmpeg, Ghidra, Gitea, ImageMagick, libssh2, MyBB, Nmap, OpenVPN, PHP, RustDesk, System Informer, and VLC.
  • The repository explicitly states that at the time of posting, none of these vulnerabilities have been reported, inviting others to do so.
  • A 'Consolidation Check' confirms the integrity of older PoC repositories moved into this consolidated archive.
  • The author sternly warns against malicious use, stating: 'Do NOT, under any circumstances, use any material in this repository maliciously. This is good-faith, open-disclosure vulnerability research.' By publicly releasing these PoCs for undisclosed vulnerabilities, 'bikini' has deliberately provoked discussion on ethical disclosure practices, the role of public exploits in security education, and the immediate implications for the affected software vendors and their users.