The bad guys already assumed that.

Seriously - the entire premise of IT security (no matter the color of your hat) is the assumption that there is no such thing as a secure computer.

Knowing that there is a vulnerability might motivate them to look for it, but given the size of the software, I doubt they'll be able to find it without knowing more.

You'd be surprised; on Windows, at least, there are people who reverse engineer the security patches from Microsoft in order to determine the initial vulnerability[1].

[1] http://www.phreedom.org/presentations/reverse-engineering-an...

Edit: Misinterpreted your post. You're right, it's unlikely that they'll guess where it is until a patch comes out.

Because there are enough people running Windows who haven't applied the patch that figuring out how to exploit it is a worthwhile undertaking.

Then again, IME of many years as a PostgreSQL DBA, the vast, overwhelming majority of postgres shops aren't running anywhere near the latest release, so depending on how far back this vulnerability goes, there could be a very large number of exploitable targets...

The knowledge may also motivate them to prepare for attacks to be executed once the vulnerability is public but most instances do not have it patched. Scan the Internet for PG backed applications, identify high profile ones, prepare automatic scripts, etc.

> Scan the Internet for PG backed applications, identify high profile ones, prepare automatic scripts, etc.

it rather works like:

- take exploit

- spread it over the whole internet and calls home where it sticks

They'd know it was there as soon as a patch was released, anyway.