I reread the thread. You're right. I misread part of what you said. I apologize.

No. We were talking about what impacts that particular security model has. Then people started getting personal. I said it's better to know sooner, even if would-be attackers find out as well. You disagree and would rather everyone fly on ignorance while the vendors (and possibly governments) dally about. You're welcome to your opinion.

..and I'd still rather get an email from a vuln list on a monday morning than not hear about it for a few months when the vendor decides it's time.

or it sits in an NSA database and is used for god knows what.

If you're an admin, don't you want to know where you're vulnerable, or are you going to trust that the vendor will look after your interests ahead of their own public image?

that's because he didn't address what I said in the previous post.

Yes, I'm aware that's what's supposed to happen.

Backpedal with fallacies if you like.

Well then those admins aren't doing their jobs. They ought to be monitoring those public lists...oh right, they're all largely neutered now thanks to 'responsible' disclosure.

Vs the knowledge remaining the exclusive domain of people who discover it, many of whom wish to weaponize it for their benefit, or worse, sell them to kiddies who will now use them against admins who still have no clue about the vulnerability. They can now operate with impunity until some admin discovers evidence of past attacks and makes it public. Of course, he will likely do so without the carnal knowledge required to mitigate because he doesn't know how it works. At that point, the damage is already done.

During that time the NSA knew about it and likely got away using it because it was not disclosed. It's not guaranteed that someone else will figure it out, but it grows more likely with time, especially for holy-grail vulnerabilities that crooks and state-actors crave. Eventually, someone will use it, or, worse, has been using it all this time. Full disclosure forces earliest-possible resolution, either from the vendor, by admin mitigation/workaround, or by user migration from the broken software. The latter two can't happen without it, and many vendors ARE slow to respond, especially if they feel they can ride on the shortsightedness of the 'responsible disclosure' culture. It also forces vendors to prioritize security in their development process. They'll want to avoid that mad darwinian rush you're talking about. As far as state-actors go, fuck them. They're no better than the ransomware crooks.

You can't operate on the assumption that everyone's a good guy who wants to work out the problem amicably. That's the thing with full disclosure, it doesn't matter what the motivators are for the release, it matters that people who need to know, now know.

I realize your position is the current consensus, but I don't agree with it. The current crop of 'wannacry' style malware is a perfect example. Microsoft is one of those who wants 'responsible disclosure' and yet still refuses to make the architectural changes needed to stop these kinds of attacks. All we get are shitty band-aids. Vendors need to feel the economic impacts from bad security that their users do in order to motivate change in their cultures.

You're right, it does give kiddies access, but it also gives admins access too. The worst possible outcome is admins not knowing the hole is there when they're attacked by those who've decided to exploit the vulnerability themselves.

Depending on security through obscurity and vendor charity is foolish. If you've been working in this field as long as you say, you ought to know that. I remember the squabbles over full disclosure vs 'responsible' disclosure years ago. I'm not convinced the current consensus on the latter benefits anyone but lazy vendors and those who want to capitalize on vulnerabilities.

Not if the response was 'will not fix' after a 'responsible disclosure'. The userbase still doesn't know it is vulnerable and the vendor is not under as much pressure to fix it.

attackers don't wait weeks or months for the vendor to respond, and if you happen to be the first to figure it out, you can pretty much guarantee that someone else with less savory intentions is right behind you. If your goal is to help, the best way is to release publicly ASAP because it gives users the most time possible to mitigate incoming attacks as well as force the vendor to prioritize a fix.

The temporary "security through obscurity" of 'responsible disclosure' is a fool's game, and only works at all if the vendor happens to be responsible (and responsIVE). Many of them aren't and have long histories of ignoring reports for marketing reasons, dragging their heels with fixes (ego, or hoping to get people to pay for their next version), and suing the informants. Buffering vendors from this darwinian process does not help the would-be victims of their buggy software as it does not coerce them into prioritizing better development practices.

Do you think would-be attackers will wait simply because disclosure is a 'dick move'? Write better software and you won't have as much of an issue.

Except that it wouldn't. Politicians would not be able to keep from imposing their own narratives on the system.

Spammers were banned for posting irrelevant content. 'Hate-speech' is just a derisive newthink label for on-topic opinion you don't find acceptable. They are hardly equivalent.

Explain what is harmful. Lots of people throw that word around.. Really, all it seems to mean is "stuff I don't like."