Security Focus: Closing the Window of Exposure: Reflections on the Future of SecuritySep 19, 2000, 22:05 (1 Talkback[s])
(Other stories by Bruce Schneier)
"Every season yields a bumper crop of computer security stories: break-ins, new vulnerabilities, new products. But this season has also given us a crop of stories about computer security philosophy. There has been a resurgence in opposition to the full disclosure movement: the theory that states that publishing vulnerabilities is the best way to fix them. In response, defenders of the movement have published their rebuttals. And even more experts have weighed in with opinions on the DeCSS case, where a New York judge ruled that distributing an attack tool is illegal."
"What's interesting is that everybody wants the same thing; they're just disagreeing about the best way to get there."
"When a security vulnerability exists in a product, it creates what I call a window of exposure. This window exists until the vulnerability is patched, and that patch is installed. The shape of this window depends on how many people can exploit this vulnerability, and how fast it is patched. What everyone wants is to make this window as small as possible."