Become a fan of Slashdot on Facebook

 



Forgot your password?
typodupeerror
What's the story with these ads on Slashdot? Check out our new blog post to find out. ×
Security

Journal singularity's Journal: On responsible disclosure... 1

A C|Net article, as referenced on Macintouch:

At the heart of the issue is the software industry push for "responsible" disclosure, which calls on researchers to delay the announcement of security holes so that manufacturers have time to patch them. That way, people who use flawed products are protected from attack, the argument goes. But the approach also has benefits for software makers, a security expert pointed out.

"As long as the public doesn't know the flaws are there, why spend the money to fix them quickly?" said Bruce Schneier, chief technology officer at Counterpane Internet Security, a network monitoring company. "Only full disclosure keeps the vendors honest."

Hey - I have a solution! Who not simply say "Our policy is to release the details of the hole exactly one month after notifying the company."?

Mr. Schneier is correct - only full disclosure will keep the vendors honest. I do not see how giving a set time before releasing the exploit causes problems with this.

Now, I will say it is very possible that the article was written to have these two somewhat unrelated paragraphs next to each other. One seems to be talking about an embargo for a while after notifying the company, and the Counterpane quote seems to be talking about justifying releasing the information at all.

This discussion has been archived. No new comments can be posted.

On responsible disclosure...

Comments Filter:

I was playing poker the other night... with Tarot cards. I got a full house and 4 people died. -- Steven Wright

Working...