Shostack + Friends Blog Archive


Full Disclosure == Torture

Or so says the Mogull over at Securosis. This particular section sums up my own feelings about the necessity of full disclosure quite well.

I think we need full disclosure as a tool in our arsenal, and that most of the researchers dropping these vulnerabilities think they’re doing good, but full disclosure needs to be a last resort- not a first strike. It’s more powerful as an ever-present threat hanging over the heads of the most unresponsive of vendors. Dropping vulnerabilities and proof of concept code on a daily basis just hardens the vendors and lets them paint you as an out of control rogue.

At this point, I’m pretty much a fanboy of Rich’s anyways after his posts of “February is “Month of No Bugs”” and “SAS 70 Has Nothing To Do With Security”, the later of which I’ll post more about next week.