"This philosophy works great in labs and universities. However, in the real world, where businesses base their
existance on information, full disclosure (i.e. disclosure without allowing the vendor to publish a patch first) is
wreckless and irresponsible. (To all the flamers: I don't work for MS, and I don't excuse security vulnerablities.) "

I don't think most of the responsible people interested in security are proponents of publishing an exploit before the vendor has a chance to release a fix. However, if the vendor has been notified, yet not responded, or released a fix in 30days...60 days...then it's resonable to publish the vulnerability in order to perhaps light a fire under them. Personally I would be willing to live with knowing the exploit is there, and how to prevent it, if possible while the vendor works on a fix. *After* the fix is released, or the vendor fails to respond in a reasonable time, then publish the mechanics of it. This is NOT what MS wants. They want us to *never* know the mechanics unless we have a contract with one of their "approved" partners. That is nuts.

[ reply ]

Link to this comment: http://www.securityfocus.com/comments/columns/59/10481#10481