Attack on Vulnerability Disclosures Part 2: They Actually Do Some Good, Just Not What is Intended
I have a few more thoughts on yesterday's post about vulnerability disclosures.
While I agree with Ranum that the rush to make public every vulnerability under the sun has not necessarily improved software security, it has certainly raised awareness of the problem outside the developer and security communities. Lets face it, if users hadn’t been bombarded with relentless new about vulnerabilities in Windows, Internet Explorer, MS Office products and a host of other applications, would they care as much as they do now? I think there is a heightened sense of awareness about security in part because of the press about vulnerabilities. News about malware and phishing scams also contributed, perhaps even more, to this increased understanding of the current state of security but vulnerabilites played a significant part.
So are vulnerability researchers all bad? Of course not. They have definitely help raise awareness about security but now that awareness is in place. It’s time to tone down the rhetoric about vulnerabilities and irresponsible software developers that “need their feet held to the fire.” Sure, keep looking for vulnerabilities but when they are found, tell the developers, don’t tell the world.
Email This!
Digg it!
Sphere it!
Del.icio.us
Reddit!
Newsvine
