I agree with full-disclosure. But as you said "responsible" full-disclosure. I think that if your going to disclose the HOW, WHY, and even some code that will fix the vulnerability, that it doesn't matter whether you give out the exploit code or not. I can take the FIX code, and get the exploit code out of it. There's always going to be a way to get exploit code. And this whole thing that Micro$oft has way more holes, etc..., . Let linux, or any other OS gain as much popularity as Windows, and you'll see the vulnerability rates rise in any of them.

SO...I think that the best thing that can be done is to GET the exploits out there, LET people know....SHARE information, and that will help strengthen the security of the internet. Keeping secrets will make the situation worse.

Remember...this is all personal opinion.

I'll be back...

[ reply ]

Link to this comment: http://www.securityfocus.com/comments/columns/20/7100#7100