Ben Bucksch wrote: > > That's almost always the case. The worst and thus most important and > interesting bugs will probably be kept condfidental for a years or so.
That only makes sense if the bug is still open. > In other words, I trust neither mozilla.org staff nor the security group > at large to do the right decisions about disclosure. Even if they do the > right thing most of the time, that's not enough. It's the exceptions > that count here. One open security hole is enough to let everything fall. So would you be okay with mandatory disclosure of bugs that *aren't fixed* after a certain period, but allow bugs to be kept secret indefinitely if a fix is provided? Stuart.
