Jan Wieck <JanWieck@Yahoo.com> writes:
> No, Peter.
>
> Posting a vulnerability on a public mailing list "before" there is a known fix
> for it means that you put everyone who has that vulnerability into jeopardy.
> Vulnerabilities are a special breed of bugs and need to be exterminated a
> little different.
Many people disagree with this. Posting the vulnerability isn't what puts
people into jeopardy, the presence of the vulnerability puts people in
jeopardy. Posting it at least allows people to disable the feature or close
off access. Or at least monitor for possible intrusions. Not posting it leaves
people in jeopardy and in the dark about it.
If you think you're the first one to find the vulnerability you're probably
wrong. Often malicious hackers who search for vulnerabilities find them and
keep them secret long before they're reported.
How would you feel if your system was compromised and then you found out later
that it was a known security hole in a feature you had no need for and the
vulnerability had been kept secret?
This is really the wrong place to have such a debate. This is a long-standing
debate and one that you should at just recognize exists. Don't present one
side as dogma.
--
greg
