SJ Mercury/AP: Computer analysts mull computer bugsAug 28, 2000, 22:50 (7 Talkback[s])
[ Thanks to George Mitchell for this link. ]
"Some "bug hunters" who uncover security flaws in computer software and rush to issue public warnings may be helping hackers more than consumers, industry officials worry. It's a thorny issue that divides security specialists. Many argue that fast, full disclosure of a vulnerability alerts computer users to take precautions and pushes software makers to provide a quick solution. Others say telling about how software is vulnerable to hackers before companies have a chance to fix the problem only invites attack."
"There needs to be a Hippocratic Oath for security professionals," said Joel de la Garza of the Internet security company Securify. "A rule like 'first, do no harm' would be a very good thing, but highly unlikely." ... "People like to see their name in the newspapers," said Richard Smith, chief technology officer for the Privacy Foundation, a research center at the University of Denver."
"Smith, who has found many bugs himself, said security free-lancers perform a valuable service to software makers, often for free. But he doesn't believe discoverers should divulge enough to tip off hackers. "I'm dead set against full disclosure, I think it's really wrong. If Microsoft has a bug, it's a good thing to give just vague details," not a blueprint for exploiting it, he said. "