COMMENTARY: In December 2025, attackers exploited a public proof-of-concept (PoC) released for React2Shell, a critical remote code execution (RCE) vulnerability affecting React Server Components. Within hours, more than 50 organizations found themselves targeted, their networks breached before they could patch or prepare.This scenario isn’t rare: it’s the new normal.The debate over vulnerability disclosure has gone on for decades in our industry. The central tension, often referred to as "publish or perish,” revolves around whether releasing PoC code arms attackers more than it helps defenders. With the rise of AI, this debate has resurfaced with renewed intensity. Critics argue we are in a "hyperactive" era in which AI-enabled attacks can weaponize code faster than ever before.[SC Media Perspectives columns are written by a trusted community of SC Media cybersecurity subject matter experts. Read more Perspectives here.]While the speed of the threat landscape has undoubtedly accelerated, the fundamental argument remains unchanged: even in an AI-driven world, the benefits of transparency largely outweigh the risks of misuse.The AI Advantage: A double-edged swordThe core argument against releasing PoC code centers on accessibility. There’s a pervasive fear that AI has tipped the scales irrevocably in favor of threat actors. The narrative suggests that by releasing a PoC, researchers are feeding sophisticated AI agents that can instantly rewrite, optimize, and launch attacks against organizations before they can patch.However, a closer look at the adversary's workflow reveals a different reality. Threat actors, particularly nation-state groups, are driven by resources and results. If a vulnerability exists, they will work to exploit it.The so-called “script kiddie” problem remains a force: unsophisticated actors can take publicly-available code they don’t understand and run it with minimal modification. This dynamic undeniably increases the likelihood that attackers will exploit a vulnerability in the wild.But sophisticated attackers don't need public PoCs inflict damage; they have the resources to develop exploits independently. If attackers can exploit a flaw and the bug offers value, those actors will develop their own exploit code regardless of whether the research community publishes one.When that happens behind closed doors, defenders are left reacting blindly to what’s effectively a zero-day attack. That's far more dangerous than the risk posed by lower-skilled attackers. When adversaries hold exclusive knowledge of exploit mechanics, they enjoy an overwhelming advantage. Security teams lack the ability to test detections, validate controls, or understand how a vulnerability behaves under real-world conditions.In contrast, public PoC releases move the industry toward an even playing field. The argument that AI uniquely empowers attackers ignores the other side of the equation. AI accelerates workflows on both sides. Just as a threat actor might use an LLM to understand or modify exploit code, defenders now possess the same powerful capabilities. AI has reinforced the value of transparency by allowing defensive capabilities to mature faster than ever before.Level the playing fieldThe phrase "knowledge is power" also holds true in cybersecurity. Historically, if knowledge was restricted, it inevitably favored the attacker. Attackers only need to be right once; defenders need to be right every time. By restricting access to PoC code, we inadvertently ensure that only those with malicious intent and strong resources possess the "power" of exploitation.Releasing PoC code democratizes this power. It lets defenders, including security operations centers (SOCs), vendors, and researchers alike, access the same information as the adversary.In 2026, AI acts as a force multiplier for defense. When a PoC gets released, security vendors can feed that code into AI models to generate detection rules within seconds, creating Snort, Suricata, and Sigma rules in some cases almost instantly by analyzing the exploit logic. This rapid response capability was infeasible in the manual era.The "time-to-defense" has shrunk dramatically. Defenders can parse, analyze, and build countermeasures against a vulnerability sometimes as fast as attackers can weaponize it. The core thesis for releasing PoCs remains: we cannot defend against risks we don't know exist, and we cannot mitigate what we don't understand. To build robust defenses, defenders need to know how a vulnerability works, not just that it exists.If we withhold PoCs, we rely on "security through obscurity." We assume that if we don't talk about the hole in the wall, no one will find it. But attackers are naturally innovative. By hiding the PoC, we don't stop them; we simply disarm ourselves.Ultimately, releasing PoCs in the AI age can maintain a balance of power between attackers and defenders. If we stop publishing, we hand the advantage back to the adversaries. Without careful disclosure, attacks remain mysterious and undetectable rather than manageable risks. At the same time, reckless disclosure can cause real harm. We need to find a middle ground.The cybersecurity community must elevate its norms. Share with purpose. Disclose with discipline. We must hold ourselves to a higher ethical standard, one that appreciates the power of knowledge, the risks of abuse, and the urgency of equipping defenders before the next campaign begins.AI has accelerated attack development and response times, but the fundamental challenge of sharing knowledge safely remains. As long as attackers operate in the open, defenders cannot afford to operate in the dark. Attackers will find ways to exploit our code.So here's what I'm asking the industry to ponder: Will defenders encounter it first in a lab? Or last, in a breach report, when it's too late?Douglas McKee, director of vulnerability intelligence, Rapid7SC Media Perspectives columns are written by a trusted community of SC Media cybersecurity subject matter experts. Each contribution has a goal of bringing a unique voice to important cybersecurity topics. Content strives to be of the highest quality, objective and non-commercial.
AI benefits/risks, Application security, Malware
The case for publishing proof-of-concept code in an AI world
(Adobe Stock)
Get daily email updates
SC Media's daily must-read of the most current and pressing daily news
You can skip this ad in 5 seconds