full disclosure

[mouse () Collatz McRCIM McGill EDU (der Mouse)]

[david () umbc edu]
> I think that the biggest pro of full disclosure, is that it get's
> people off their butts and gets a good solution or patch that much
> faster.

[spaf () cs purdue edu]
> I have yet to see evidence of this.  Based on my conversations with
> personnel at various computer companies, the only thing full
> disclosure seems to do is (sometimes) encourage them to release bug
> fixes without quite as much testing.

You should realize that if you talk to just "personnel at various
computer companies", you're going to get a rather one-sided view of
things.

Personally, the biggest pro of full disclosure, and the reason I follow
bugtraq, is that as far as security patches go, I am my own vendor.
One of "my" systems is a NetBSD machine, which is fully user-supported
and has no "vendor" one can get patches from; the other is a NeXT
running an old release because there's no money to upgrade it, and it's
running numerous pieces of freeware replacing the vendor stuff.  That
too I have to be my own support for - and without disclosure, I can't
even tell whether I'm vulnerable, never mind how to fix it.

Whether full disclosure is good or bad for the vendors and the
resulting patches borders on irrelevant to me.  I want full disclosure
because that is the only way I have ever found for me to plug my holes
before the fact.

> If anyone can provide me with verifiable evidence that full
> disclosure results in faster production of patches of good quality, I
> would be very interested in seeing it.  Otherwise, it's just wishful
> thinking.

Are you perhaps laboring under the delusion that everyone is running
vendor software?  Or perhaps that vendors, even when they still exist,
are responsible about issuing patches in the absence (or even the
presence) of full disclosure?

If nothing else, full disclosure levels the field.  I have never heard
_anyone_ claim that the Dark Side is even mildly hampered by lack of
disclosure.

Feh.  I'm disappointed to see you spouting this silliness, spaf,
especially since if anyone ought to know better, it'd be you.  (If you
support disclosure for its other benefits and just meant to point out
that david () umbc edu's reason was invalid, you perhaps should have made
that clearer.  You came across as anti-disclosure, at least to me.)

                                        der Mouse

                            mouse () collatz mcrcim mcgill edu