One of my favorite blogging/podcasting people, Martin McKeay, posted on his Computerworld blog yesterday, an article about the debate over instant versus responsible disclosure. This was in addition to a conversation on the Security Roundtable Podcast that we had the other night and will be posted hopefully soon. Martin and I are on opposite ends on this one. I think that instant disclosure in many cases amounts to yelling fire! in a crowded movie theater. What good does it do? Do you think consumers are going to do something with the information? Most only know that when Microsoft issues a patch, if they are using WSUS or Windows Update they get a patch. Using a 3rd party patch is I think playing Russian Roulette. The only good I can see it doing is maybe putting some pressure on the software vendor to get something out because the public knows about the vulnerability. However, the other side of that coin is, force them to rush out a patch and quality suffers.
Now don't get me wrong, in my view of responsible disclosure, after a vendor has been made aware of a vulnerability, they should put out a fix in a reasonable time, otherwise it is perfectly OK to announce the hole publicly. But overall, I think we are all better off if the vendor is given some time to patch or fix the vulnerability before the it is made public knowledge. I don't believe all hackers know of every vulnerability out there.