"That's the debate in a nutshell: Is the benefit of
publicizing an attack worth the increased threat of the enemy
learning about it? Should we reduce the Window of Exposure by
trying to limit knowledge of the vulnerability, or by publishing
the vulnerability to force vendors to fix it as quickly as
possible?
What we've learned during the past eight or so years is that
full disclosure helps much more than it hurts. Since full
disclosure has become the norm, the computer industry has
transformed itself from a group of companies that ignores security
and belittles vulnerabilities into one that fixes vulnerabilities
as quickly as possible. A few companies are even going further, and
taking security seriously enough to attempt to build quality
software from the beginning: to fix vulnerabilities before the
product is released. And far fewer problems are showing up first in
the hacker underground, attacking people with absolutely no
warning. It used to be that vulnerability information was only
available to a select few: security researchers and hackers who
were connected enough in their respective communities. Now it is
available to everyone.
This democratization is important. If a known vulnerability
exists and you don't know about it, then you're making security
decisions with substandard data. Word will eventually get out --
the Window of Exposure will grow -- but you have no control, or
knowledge, of when or how. All you can do is hope that the bad guys
don't find out before the good guys fix the problem. Full
disclosure means that everyone gets the information at the same
time, and everyone can act on it."
