Torvalds on the Linux Security Process

darthcamaro writes "Linus Torvalds thinks that Linux kernel security disclsoure should be completely open and he really doesn't like the vendor-security model of having a time embargo on security disclosure. 'I think kernel bugs should be fixed as soon as humanly possible, and any delay is basically just about making excuses,' Torvalds wrote. 'And that means that as many people as possible should know about the problem as early as possible, because any closed list (or even just anybody sending a message to me personally) just increases the risk of the thing getting lost and delayed for the wrong reasons.'"

No!

[91degrees]

Scenario 1: Bug is detected. Full disclosure including exploit.

Result: Mallory uses exploit. Alice releases a bugfix, Bob applies the fix. If it takes Alice andBob longer than Mallory, the server is compromised.

Scenario 2: Bug is detected. Kept quiet.

Result: Eventually Mallory detects the same bug. Exploits it. Server compromised.

Scenario 3: Bug is detected. Released only to trusted developers.

Result: Alice releases bugfix. Announces that it fixes a security hole. Gives general details of what the bug is. Mallory has to work out the details and exploit it. This gives bob a lot more time to apply the patch than scenario 1.

So what's so great about full immediate disclosure?