Slashdot Mirror
When Is It Right To Go Public With Security Flaws?
nk497 writes "When it comes to security flaws, who should be warned first: users or software vendors? The debate has flared up again, after Google researcher Tavis Ormandy published a flaw in Windows Support. As previously noted on Slashdot, Google has since promised to back researchers that give vendors at least 60-days to sort out a solution to reported flaws, while Microsoft has responded by renaming responsible disclosure as 'coordinated vulnerability disclosure.' Microsoft is set to announce something related to community-based defense at Black Hat, but it's not likely to be a bug bounty, as the firm has again said it won't pay for vulnerabilities. So what other methods for managing disclosures could the security industry develop, that balance vendors need for time to develop a solution and researchers' needs to work together and publish?"
Quote: The only thing releasing the information would do is cause a massive Zero Day event that would only harm consumers or leave them without the services of the software for several months.
---
So you prefer the alternate option, where you sit on it and only the black hats have access to the zero day event that would harm consumers and leave them without services of the software for several months.
I see the wide difference.
You would prefer you kept your exploits open and vulnerable, so no one can protect themselves against you.
I can only assume you are the attacker, as aiding anyone in protecting themselves is counter to your goals as you stated.
"no evidence that the exploit is being used in the wild" is simply a fancy way of saying "The exploit is clearly in the wild, as despite my beliefs on this matter, there really are people out there smarter than I who have noticed this before"
SO thanks for making the world a more vulnerable place!