"The point is that I really appreciate the work of
bughunters. Of course I would like to know as soon as possible
whether the programs I use have security flaws. I'm honestly
thankful for every bug that someone finds in my programs. I also
understand the greed for being the first to report a bug.
On the other hand, if I discovered a bug, I would think very
carefully if I should not inform the author before I submit a
report to a security-site on the net. For what do you gain - except
being first - when suddenly everyone knows the bug, but no
alternative is available? Would it then not have been better if the
author had had a few days more to work without pressure on a clean
solution? Why not live in Acknowledgements and Thanks-sections in
place of spiteful dreams of angry programmers who introduce new
bugs while panically fixing the old?
A note on bugtracking-lists: Everyone can blindly copy every
announcement and report from the net, bundle and publish them. Even
a program can do that. But what is it good for? Do you really
excpect someone to learn a list by heart in order to say someday:
"CGIForum? Hm, wait---yes, I once saw it in a bugtracking-list.
Don't use it.'' To my mind, it's more likely that a person who
wants to use a program will do some research on the web anyway. In
this case, a list which offers minimal information per package, but
this in great density, buys you exactly nothing."
Some of the products that appear on this site are from companies from which QuinStreet receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. QuinStreet does not include all companies or all types of products available in the marketplace.