I don’t believe that, but I am not trolling*.

My point is this: if the bad guys are finding different bugs (which I expect, given the huge number of available bugs in the code universe), but we are only worried about the ones that the good guys find, then we are misappropriating our resources. We should be making much more of an effort protecting ourselves from “known unknowns” – the bugs that we can all agree are likely to be discovered (by the good guys) a year from now but affect our systems now.

In the context of the original article – we should be thankful that fewer people know the details and shouldn’t be relying so heavily on the knowledge ourselves, especially given the known unknowns out there.

Btw, I think I have the best proof there is that bad guys find different bugs, but note that it is fairly sparse compared to the huge number of discovered vulns overall. See http://spiresecurity.typepad.com/spire_security_viewpoint/2007/11/updated-underco.html for details. In the spirit of your request for evidence, I would love if you provided your own.

*How can I be trolling my own blog?

They are not finding all the same bugs. Please show proof of this if you really believe it or you are just trolling.