As noted, timeliness of response by the vendor's an issue. Another one is an (IMHO unwarranted) assumption behind all the vendor disclosure rules: that the fact that the general public doesn't know means that the black-hats don't know either. My suspicion is that the black-hats do know about these 0-day vulnerabilities and have been quietly exploiting them long before the researchers uncover them. If that's the case, then suppressing disclosure to the world does nothing to protect anyone and leaves everyone unwittingly open to being exploited. At least if I know there's a vulnerability in some product I can firewall it off or disconnect it or switch products even if there's no fix available. I can't do that if nobody tells me about the problem.

[ reply ]

Link to this comment: http://www.securityfocus.com/comments/columns/415/33899#33899