Well the issue is quite simple...Until software development organizations first accept responsibility for the software they produce, including liability and accountability for security flaws, they should not even consider attempting to regulate or even suggest control measures regarding the disclosure controls currently implemented by the security community. In fact, seeing as most software vendors, particularily those of commercial operating systems have absolved them of any responsibility to the end user for usage of a software product, the offending software vendor only recieves a public embarassment. The security community is doing a favor for the users of those software vendor's products through awareness, of which the software vendor would rather have the user kept 'in the dark' about the security falicies resulting from the vendor's inadequate approach to security.

[ reply ]

Link to this comment: http://www.securityfocus.com/comments/articles/270/8297#8297