"The point is that I really appreciate the work of
bughunters. Of course I would like to know as soon as possible
whether the programs I use have security flaws. I'm honestly
thankful for every bug that someone finds in my programs. I also
understand the greed for being the first to report a bug.
On the other hand, if I discovered a bug, I would think very
carefully if I should not inform the author before I submit a
report to a security-site on the net. For what do you gain - except
being first - when suddenly everyone knows the bug, but no
alternative is available? Would it then not have been better if the
author had had a few days more to work without pressure on a clean
solution? Why not live in Acknowledgements and Thanks-sections in
place of spiteful dreams of angry programmers who introduce new
bugs while panically fixing the old?
A note on bugtracking-lists: Everyone can blindly copy every
announcement and report from the net, bundle and publish them. Even
a program can do that. But what is it good for? Do you really
excpect someone to learn a list by heart in order to say someday:
"CGIForum? Hm, wait---yes, I once saw it in a bugtracking-list.
Don't use it.'' To my mind, it's more likely that a person who
wants to use a program will do some research on the web anyway. In
this case, a list which offers minimal information per package, but
this in great density, buys you exactly nothing."