Microsoft Admits to Hiding Flaw Details 147
Spongeform writes "eWeek has an interview with a Microsoft security official admitting to hiding details on software vulnerabilities that are discovered internally. The reason? Microsoft believes that full disclosure of every security-related product change only serves to aid attackers. However, companies using host-based IPS that rely on flaw information to build signatures are basically left at risk because of Microsoft's silent fixes."
Re:scandal! (Score:3, Informative)
Au contraire. The RFPolicy [wikipedia.org] gives the vendor five working days to respond to a communication from the discoverer of a vulnerability, after which the discoverer can go public at any time. The discoverer and vendor are encouraged to work together to make a joint statement of the vulnerability once there is a fix.