I believe this discussion isn't appropriate for this list, for a very simple reason: Bugtraq is about full disclosure. If you're on the list, and you have a problem with full disclosure, I'd suggest having yourself removed from it, or at the very least ending this futile discussion. It's not a question about "having my beliefs challenged", I rather believe it's a pointless, endless argument that can't be resolved. There are numerous issues involved here: * "freedom of information"--does anyone have the right to withhold information from anyone else because it's too "dangerous"? * Whether or not full disclosure is really more effective than partial disclosure or "waiting for the magic fix from the Gods" * Who decides who is trustworthy enough to receive this information * Does "security through obscurity" really work and a bunch of others, I'm sure... Both sides will have "proven answers" for these questions, but I daresay most of these are merely opinion, unless someone has real concrete examples. Here are the basic arguments that I've seen on the list: 1) Full disclosure is wrong because the "bad people" get ahold of the information and use it to their advantage before the "good people" have a chance to fix the problems. Only telling the "good people" avoids this issue. Plus, since we don't live in a world where it's easy to tell all the "good people" about the problems, the "bad people" can take advantage of this. And, announcing it right away pressures vendors into releasing software fixes before they've been verified. (Witness the latest round of fixes from Sun for the /bin/mail problems). 2) Partial disclosure is wrong because the "good people" have little motivation to fix the problems--it's "obscure" now, and only the "good people" know about it, so they can fix it at their leisure (meaning never). Also, some "good people" can't rely on their vendor to fix the problem because the vendor's out of business or no longer supporting their system, or they're not using vendor- suppliied software. And, many people are perfectly willing, able, and capable of fixing software problems without waiting for their vendor to do Q&A or whatever they do to pretend that their software's fixed. This can be very important when your system's already been broken into via a previously-unknown hole or one that's still waiting for a fix from the vendor. I keep thinking of the "internet worm" somehow--wasn't the DEBUG hole known for quite a while before the worm was run? I used to be in a position where I would often write replacements for system utilities. Partial disclosure was usually useless to me, unless it contained enough information to figure out what the real security hole was in the first place. So I definitely was (and still am) on the side of full disclosure, merely for that reason (and others too, but this is probably the most important one). A great example was the discussion on /bin/mail: it was very useful to me to see the problems that Sun and other vendors were having and enabled me to make sure that these problems didn't exist in my own software. The statement "/bin/mail has a security hole, get a patch" would've been quite useless. Many times the types of bugs that I've seen are natural ones that any programmer could've made that's writing programs for Unix, and knowing what they are and how to avoid them is a great help. I have a basic problem with partial disclosure: who decides who is "eleeet" enough to receive the full disclosure? If you're not in the "in crowd", you lose. And that's fine with me, ultimately--if 8lgm decides they don't want to do full disclosure, that's up to them. But that doesn't mean the rest of us can't and won't disclose everything that we know in a free environment. I'm not sure I like the idea of "partial eventually going to full disclosure" either. That doesn't solve a lot of the problems with partial disclosure, particularly the problem of: what do folks do that don't have vendor support, and aren't in the "eeleeeet crowd" that receives the full disclosure before the "general public"? I doubt that anyone's going to have their minds changed by this note, nor is this endless discussion going to end, but I thought I'd throw in my $.02 anyway. Bob