Side question: the economics of disclosure is a current research are for myself and Adam Shostack ... are there any summaries of the positions of the opposing camps on that debate?
I don't believe that there is any single document that contains a complete summary of the arguments for and against full disclosure of security vulnerabilities. However I did post at least one message that both addresses the arguments for full disclosure and also touches on the sort of "economics of disclosure" issues that you and Adam are interested in:
http://groups-beta.google.com/group/netscape.public.mozilla.security/msg/f0839d0487a76b9a
(I couched this in probabalistic terms: how do you maximize the chances of fixing security vulnerabilities while minimizing the damage to users resulting from such vulnerabilities, with the independent variable being the number of people to which the vulnerability is disclosed.)
If you're interested in this topic you might check out the following threads from netscape.public.mozilla.security:
http://groups-beta.google.com/group/netscape.public.mozilla.security/browse_thread/thread/518ec36a2fbb2ae0/f0839d0487a76b9a?q=group:netscape.public.mozilla.security+author:Frank+author:Hecker&_done=%2Fgroups%3Fas_q%3D%26num%3D100%26scoring%3Dr%26hl%3Den%26ie%3DUTF-8%26as_epq%3D%26as_oq%3D%26as_eq%3D%26as_ugroup%3Dnetscape.public.mozilla.security%26as_usubject%3D%26as_uauthors%3DFrank+Hecker%26lr%3D%26as_drrb%3Dq%26as_qdr%3D%26as_mind%3D1%26as_minm%3D1%26as_miny%3D1981%26as_maxd%3D4%26as_maxm%3D2%26as_maxy%3D2005%26safe%3Doff%26&_doneTitle=Back+to+Search&&d#f0839d0487a76b9a
http://groups-beta.google.com/group/netscape.public.mozilla.security/browse_thread/thread/923334fa28af4960/fe1cbd9f3135d67a?q=group:netscape.public.mozilla.security+author:Frank+author:Hecker&_done=%2Fgroups%3Fas_q%3D%26num%3D100%26scoring%3Dr%26hl%3Den%26ie%3DUTF-8%26as_epq%3D%26as_oq%3D%26as_eq%3D%26as_ugroup%3Dnetscape.public.mozilla.security%26as_usubject%3D%26as_uauthors%3DFrank+Hecker%26lr%3D%26as_drrb%3Dq%26as_qdr%3D%26as_mind%3D1%26as_minm%3D1%26as_miny%3D1981%26as_maxd%3D4%26as_maxm%3D2%26as_maxy%3D2005%26safe%3Doff%26&_doneTitle=Back+to+Search&&d#fe1cbd9f3135d67a
http://groups-beta.google.com/group/netscape.public.mozilla.security/browse_thread/thread/7c838e09a57de0f1/9ce626a50a87ce54?q=group:netscape.public.mozilla.security+author:Frank+author:Hecker&_done=%2Fgroups%3Fas_q%3D%26num%3D100%26scoring%3Dr%26hl%3Den%26ie%3DUTF-8%26as_epq%3D%26as_oq%3D%26as_eq%3D%26as_ugroup%3Dnetscape.public.mozilla.security%26as_usubject%3D%26as_uauthors%3DFrank+Hecker%26lr%3D%26as_drrb%3Dq%26as_qdr%3D%26as_mind%3D1%26as_minm%3D1%26as_miny%3D1981%26as_maxd%3D4%26as_maxm%3D2%26as_maxy%3D2005%26safe%3Doff%26&_doneTitle=Back+to+Search&&d#9ce626a50a87ce54
(This is not necessarily a complete record of the discussion, just the results of a few minutes searching Google.)
Incidentally, note that the initial discussions on this topic took place in March 2000, and we didn't come to agreement on a final policy until November 2001, 18 months later.
Frank
-- Frank Hecker [EMAIL PROTECTED] _______________________________________________ mozilla-crypto mailing list [email protected] http://mail.mozilla.org/listinfo/mozilla-crypto
