In a post published to his personal blog Friday, Evans called on researchers to help find flaws in Adobe's Flash Player. Previously, Evans had compiled a list of at least 18 Flash vulnerabilities that had been used by attackers since 2010.
He aimed his appeal at "gray hats," a term that has a variety of definitions in security, but that Evans used to describe researchers who uncover vulnerabilities to sell to government and law enforcement intelligence agencies, who presumably use them to hack targets.
"When you entered the greyhat world, they told you you'd be helping catch terrorists, didn't they?" Evans wrote. "Recent and ongoing revelations show that no, in fact, the biggest use of your work was enabling mass surveillance, the compromise of foreign nations and even the compromise of foreign corporations. If you want to make an actual difference, see above for where defensive help is needed."
That "see above" referred to the pitch for help in rooting out Flash vulnerabilities so that Adobe would patch them.
Evans' appeal didn't go unanswered: Others, including those from firms that market vulnerabilities to government and law enforcement, took to Twitter to bash Evans' appeal, especially his label of "hero" for researchers who have found flaws in Flash Player.
"If Googlers think that reporting fuzzed crashes/0days make them 'heroes,' Vupen is then 'superhero' with all 0days we reported at #Pwn2Own," Chaouki Bekrar, CEO of French vulnerability research lab and zero-day seller Vupen, said on Twitter Saturday.
A team from Vupen exploited vulnerabilities in Adobe Flash, Adobe Reader, Chrome, Microsoft's Internet Explorer and Mozilla's Firefox at the Pwn2Own hacking contest earlier this month, winning $400,000 for its work.
At Pwn2Own, researchers are required to disclose vulnerabilities to ZDI, which in turn hands the information to vendors.
Sign up for CIO Asia eNewsletters.