I personally believe that writing PoC code is crucial, it allows you to see how far you can go with a hole, however I personally don't believe that making it public is ethical ( emphasis added ). If the advisory and overview is strong enough, admins can make their changes.
Key word here is ethical. That would depend ...
Depend on response of author or organization that released the program ( for profit or not ):
1) Did they respond to you about the hole/vulnerability in a timely manner?
2) Were they responsive to your concerns?
3) Did they attempt to patch the code in a timely manner?
4) Did they announce the vulnerability in an appropriate manner?

As far as posting the actual PoC, I would take the advice here, manipulate it in such a way as the reader would have had to have the ability to find it in the first place to use the exploit. ( more on that later )

As far as the disclaimer; as implied here and in other posts on other topics, it will depend on the jurisdiction in which it is released, their laws, current moods of their courts, etc.

The only thing that comes to mind were the cases involving “DeCSSplus” . ( Google for it, there were many in the U.S. ( California ) and Norwegian courts, and much written about it.
At the very top of the readme.txt ( v1.0 ) was
!! THIS PROGRAM IS FOR EDUCATIONAL PURPOSE ONLY !!
!! YOU ARE NOT ALLOWED TO MISUSE THIS PROGRAM TO COPY DVDS !!
I am not going to get into " Freedom of Speech" or " Freedom of the Press" issues here, but courts look at such things as “ what is reasonable and prudent”
Is it reasonable to only give the author 10 days to fix it? Or might 30 days be more reasonable ( if CERT , a recognized authority sets a time frame like this, would this not be “reasonable”, or at least defendable using CERT as a reference? )

Don’t get me wrong, I am not saying CERT is correct just because they are CERT . But I believe they understand something that the lay person ( say, someone on a jury ) would not easily:

1st) 10 days may not be enough for an author, who may be on vacation and unreachable for a week or two, and/or the new code needs extensive testing ( unless you want to grandstand )

2nd) If you found the exploit, hole, whatever, someone else has either already found it or will!

I the believe the later is the key to your question, what everyone here and in the computer security industry must agree to, for a PoC to be acceptable. ( and that goes back to covering yourself by manipulating the code so that only someone with the knowledge enough to find the exploit could reproduce it from your PoC. )

If everyone in the computer security industry agrees that it could have been discovered already, not disclosed, and currently or in the very near future exploited ( even though non-disclosed or the loss not calculable ) then any liability concerning releasing the Poc, especially within an industry accepted time frame should be negligible.


My example would be: What if you found a vulnerability, notified the author. That author released it under a GNU. They failed to respond. Six months later, a utility company’s systems crashed because someone exploited that same vulnerability. Five hundred people died because of that crash. How would you feel if you did not do everything that was “ reasonable and prudent” ?