Full Disclosure and Why Vendors Hate It

An anonymous reader writes "Well known iPhone hacker Jonathan Zdziarski gave a talk at O'Reilly's Ignite Boston 3 this week in which he called for the iPhone hacking community to embrace full disclosure and stop keeping secrets that were leading to the iPhone's demise. He has followed up with an article about full disclosure and why vendors hate it. He argues that vendor-only disclosure protects the vendors and not the consumer, and that vendors easily abuse this to downplay privacy concerns while continuing to sell insecure products. In contrast, he paints full disclosure as a capitalist means to keep the vendor accountable, and describes how public outcry can be one of the best motivating factors to get a vulnerability addressed."

That's why we have embargo dates

[unixan]

I work for a vendor and so I get to see the view from the inside out on this.

Most times, when a vulnerability is discovered by a professional security group or an upstream vendor, they both tell us what it is, and propose an "embargo" date for when they plan to make it public.

This gives vendors time to react properly but still serves the public with disclosure.