[david@umbc.edu] > I think that the biggest pro of full disclosure, is that it get's > people off their butts and gets a good solution or patch that much > faster. [spaf@cs.purdue.edu] > I have yet to see evidence of this. Based on my conversations with > personnel at various computer companies, the only thing full > disclosure seems to do is (sometimes) encourage them to release bug > fixes without quite as much testing. You should realize that if you talk to just "personnel at various computer companies", you're going to get a rather one-sided view of things. Personally, the biggest pro of full disclosure, and the reason I follow bugtraq, is that as far as security patches go, I am my own vendor. One of "my" systems is a NetBSD machine, which is fully user-supported and has no "vendor" one can get patches from; the other is a NeXT running an old release because there's no money to upgrade it, and it's running numerous pieces of freeware replacing the vendor stuff. That too I have to be my own support for - and without disclosure, I can't even tell whether I'm vulnerable, never mind how to fix it. Whether full disclosure is good or bad for the vendors and the resulting patches borders on irrelevant to me. I want full disclosure because that is the only way I have ever found for me to plug my holes before the fact. > If anyone can provide me with verifiable evidence that full > disclosure results in faster production of patches of good quality, I > would be very interested in seeing it. Otherwise, it's just wishful > thinking. Are you perhaps laboring under the delusion that everyone is running vendor software? Or perhaps that vendors, even when they still exist, are responsible about issuing patches in the absence (or even the presence) of full disclosure? If nothing else, full disclosure levels the field. I have never heard _anyone_ claim that the Dark Side is even mildly hampered by lack of disclosure. Feh. I'm disappointed to see you spouting this silliness, spaf, especially since if anyone ought to know better, it'd be you. (If you support disclosure for its other benefits and just meant to point out that david@umbc.edu's reason was invalid, you perhaps should have made that clearer. You came across as anti-disclosure, at least to me.) der Mouse mouse@collatz.mcrcim.mcgill.edu