A proof of concept (PoC) exploit is a non-harmful attack against a computer or network. PoC exploits are not meant to cause harm, but to show security weaknesses within software. Identifying issues allows companies to patch vulnerabilities and protect itself against attacks.
How PoC exploits work
Typically, PoC exploits are done by a vendor working for the company. By simulating an actual attack, it allows the company to patch the security hole without systems or data being compromised. The code developed for the test (a proof of concept code) will likely be used in the future to test the software and make sure the new security measures work.
PoC code and zero-day exploits
PoC code is a term used to describe a code that was developed to demonstrate security flaws in software or networks during a PoC exploit. IT departments use it to simulate attacks to identify vulnerabilities and patch them. PoC code can also be used to determine a threat level.
When PoC code is published before the security hole is patched, a zero-day exploit can occur. Zero-day exploits are malicious attacks that occur after a security risk is discovered but before it is patched.
Publishing PoC code has become controversial because it can lead to zero-day exploits when it is released too quickly. When a PoC code is shared before a weakness is patched, it leaves software and networks vulnerable to hackers. Many large companies have recently fallen victim to security breaches due to PoC codes being shared before issues can be fixed.
Publishing PoC code put and cyber-attack
As long as the PoC code is published after any weaknesses in the security is patched, a company should not have to worry about putting their cybersecurity at additional risk. In addition to using PoC code later to simulate attacks and identify any possible issues, it also shows that a company is aware of the issue and is confident in its solution to protect itself.