Security Through Non-Disclosure

, Aug 19, 2006

Charles Miller:

Often, full disclosure is explained as a way to make sure vendors are responsive, using “naming and shaming” to force a faster patch schedule. This is certainly one aspect of the practice, but far more important is the fact that it gives those people who might be running the vulnerable software enough information to make informed decisions about their security.

He’s totally right, of course. I have some understanding for not talking about a security hole, but once its presence is known, the best strategy is full disclosure.