> > http://users.ece.cmu.edu/~tdumitra/public_documents/bilge12_zero_day.pdf >
Interesting article, but it tells us nothing. They merely talk about Full vs. Responsible Disclosure, and they admit that it's an ongoing debate. The overall conclusion after 12 pages in the article: "the disclosure of zero-day vulnerabilities causes a significant risk for end-users, as the volume of attacks increases by up to 5 orders of magnitude". Common sense lol, and zero day comes no matter what. Responsible Disclosure is Security-Through-Obscurity, and Security-Through-Obscurity DOES NOT WORK. You are pushing back zero day and claiming it's a good thing. Not only do crackers who already have the vulnerability get to use it for that much longer, but now you're also widening the exposure (ever so slightly) of the vulnerability. Now you not only have those 1 or 2 crackers to worry about, but also every "analyst" in the closed security group, their wives, their children, ALL the software they run on the machine in which they analyze (all it takes is one bug), etc etc etc. There are infinite ways for the information to be leaked unintentionally. Scenario: A vulnerability exists. One cracker finds it and keeps it all to himself. 30 days later, one analyst finds it and reports it to this private network of security analyst friends (a few thousand people perhaps?). 2 weeks later, the vulnerability is publicly disclosed and the fix is released. The 2 weeks in which the thousands of "trusted" individuals have access to the information is much more dangerous than the 30 days in which one cracker has it all to himself. The solo cracker can only do so much by himself (I'm certainly not claiming we shouldn't be afraid of him, but that's a different discussion than Full vs. Responsible Disclosure). Rationale: During those two weeks, the likelihood that the information escapes into the wild (into the underground cracker circles worldwide where information flows like water) increases tremendously. Check and mate, d3fault _______________________________________________ Development mailing list Development@qt-project.org http://lists.qt-project.org/mailman/listinfo/development