Instead of immediate disclosure of security holes, I believe that the originator of a security exploit should first attempt to open a discourse with the maintainer of the affected software. Rain Forrest Puppy discusses such a policy at http://www.wiretrip.net/rfp/policy.html Disclosure of the exploit should come eventually so that we can all learn from the mistake. As someone who is in the security field, I would rather learn from the mistakes of others than subject our customers to the same mistake in our own products because of ignorance.
Slashdot Mirror
Instead of immediate disclosure of security holes, I believe that the originator of a security exploit should first attempt to open a discourse with the maintainer of the affected software. Rain Forrest Puppy discusses such a policy at http://www.wiretrip.net/rfp/policy.html Disclosure of the exploit should come eventually so that we can all learn from the mistake. As someone who is in the security field, I would rather learn from the mistakes of others than subject our customers to the same mistake in our own products because of ignorance.