"In the previous message, John DiMarco said..." > > [ ... ] > > Surely there is a third way: time-lapsed full disclosure. When a problem is > discovered, don't announce it until there's a patch, then announce the problem > and the patch together, without exploitation information. BINGO!!!! That is what I (and many others) have been advocating all along. A stepwise approach: Vendor first, then partial disclosure (including note that full disclosure is coming in about a week or so - depending on the individual problem at hand), and finally the full disclosure, with at least an attempt at a fix included if humanly possible. If the hole was discovered via a crackers breakin, that shortens the time frame a lot, as the cats pretty much out of the bag. In no case should the delay be so long that the affected OS is dead and stinking, though... > After a suitable time (weeks?) has passed, the rest of the information can be > announced. But don't post scripts to exploit the bug; it gives root to too > many newbies. I'll go along with that. But sufficient info for an admin to figure things out enough to TEST for the bug. It will help the admins, but I think a canned gimmie-root script all ready to run is a bit much. But I will take the canned scripts in preference to the CERT-like approach. [ ... ] -- pat@rwing [If all fails, try: rwing!pat@eskimo.com] Pat Myrto - Seattle WA "No one has the right to destroy another person's belief by demanding empirical evidence." -- Ann Landers, nationally syndicated advice columnist and Director at Handgun Control Inc.