On Fri, Oct 19, 2012 at 8:27 AM, Oswald Buddenhagen <[email protected]> wrote: > google "responsible disclosure"
No need, and that's hardly an argument. What if I said: google "full disclosure" as my counter-argument? So anyways I'll bite, even though we've already been over this. Responsible disclosure is very similar to Full disclosure except that there's a window of time where a variable size group of individuals are sitting on the vulnerability information until a fix is delivered. As I've said before, holding onto that information only extends the window in which an exploit can be utilized. It has a vital flaw: it requires you to trust other human beings. A group of them no less. "Security information moves very fast in cracker circles." ( http://openbsd.org/security.html ) You only need ONE weak/corrupt link in your group of "trusted" analysts for the practice of "Responsible Disclosure" to now ACTIVELY CAUSE HARM TO USERS who you are trying to protect. Full disclosure allows everyone to analyze their own situation and decide whether or not to bring their systems down (sometimes this can't be helped) until a fix is available. Next! d3fault _______________________________________________ Development mailing list [email protected] http://lists.qt-project.org/mailman/listinfo/development
