PunkSpider is a tool that automatically crawls the internet searching for vulnerable websites. It then lists those websites and their vulnerabilities in a public database with the intention of creating a more secure online world. It was originally launched by developer Alejandro Caceres and his company Hyperion Gray, but was eventually shut down. It is slated to return at Defcon in August of 2021. But what does this really mean for vulnerable websites?
When asked about his intentions with this tool, the developer said “wouldn’t it be cool if I could scan the entire web for vulnerabilities? And to make it even more fun, wouldn’t it be cool if I released all those vulnerabilities for free? I knew it was going to have some kind of implications. And after I started thinking about it, I really thought they might be good” (Caceres, WIRED article).
The other side of the argument comes down to timing. Regardless of the good intentions, “bad actors can exploit the vulnerabilities faster than administrators can plug them, leading to more breaches” (Karen Gullo, email to WIRED).
This raises the question: should a tool like PunkSpider exist? Should those vulnerabilities be made public? Will this lead to more ransomware attacks? Caceres responded to these concerns by saying “you know your customers can see [the vulnerabilities], your investors can see it, so you’re going to fix that s*** fast.”
What do you think about PunkSpider? Leave a comment below. Thanks for reading!