« Meetinghouse withdraws from TCG | Main | Friends who blog/podcast »

July 19, 2006


One of my favorite blogging/podcasting people, Martin McKeay, posted on his Computerworld blog yesterday, an article about the debate over instant versus responsible disclosure.  This was in addition to a conversation on the Security Roundtable Podcast that we had the other night and will be posted hopefully soon. Martin and I are on opposite ends on this one.  I think that instant disclosure in many cases amounts to yelling fire! in a crowded movie theater. What good does it do?  Do you think consumers are going to do something with the information?  Most only know that when Microsoft issues a patch, if they are using WSUS or Windows Update they get a patch.  Using a 3rd party patch is I think playing Russian Roulette.  The only good I can see it doing is maybe putting some pressure on the software vendor to get something out because the public knows about the vulnerability.  However, the other side of that coin is, force them to rush out a patch and quality suffers.

Now don't get me wrong, in my view of responsible disclosure, after a vendor has been made aware of a vulnerability, they should put out a fix in a reasonable time, otherwise it is perfectly OK to announce the hole publicly.  But overall, I think we are all better off if the vendor is given some time to patch or fix the vulnerability before the it is made public knowledge.  I don't believe all hackers know of every vulnerability out there.


TrackBack URL for this entry:

Listed below are links to weblogs that reference Fire!:

» The Daily Incite - July 20, 2006 from Security Incite: Analysis on Information Security
July 20, 2006 Good Morning: Sometimes I feel like the rabbit in Alice in Wonderland: Im late. Im late. For a very important date. You know, those days where you get a lot done, but the pile is probably a bit bigger than when yo [Read More]


My Photo

Subscribe to my blog

Enter your email address:

Delivered by FeedBurner

Lijit Search

Blog Networks

Creative Commons License
This work is licensed under a Creative Commons Attribution-Share Alike 2.5 License.


Lijit Search

Blog powered by TypePad
Member since 10/2005