Happy to share a little experiment we are trying. microsoftedge.github.io/edgevr/posts/S… I am not sure if it will stick but we will see. Here is how I personally think about the matter 1/? The impact of security bugs today is far different than it was 10 years ago. Entities like NSO Group and their customers have leveraged these bugs to do some horrible things to journalists, human rights activists, and others. 2/?

Lets chat V8 and perf. One of the most common exploit primitives is to abuse the fact that WASM jit pages are RWX. You ever wonder why? Ironically it's because of asm.js! (yes that old stuff) , you see asm.js code is translated to WebAssembly by V8.. Thread 1/?

https://twitter.com/thezdi/status/1379799037206016005

This code is compiled to WASM bytecode. In the past permissions were flipped on the W^X memory but this operation was expensive. So for performance reasons those pages are RWX. JS runs faster and exploits are easier. yay! 2/?

The most interesting aspect of this was the exploitation of trust in the security research community. We often take for granted the unique relationship we have with our 'adversaries'. Thread..

https://twitter.com/ShaneHuntley/status/1353856344655204352

If you have worked in this industry long enough you likely have friends who are both blackhats and whitehats. We all play 'spot the fed' at Defcon and at times we share ideas with each other. I've shared drinks with exploit brokers, government employees and