DISQUS

LonerVamp · 3 years ago

I'm certainly not going to entire the fray of arguments for and against full disclosure (I don't wield rhetoric nearly surgically enough to stand up admist the sparring parties), but I will say that in my short time in the security field, I have become a firm believer in full disclosure. Much like the RIAA futiley fighting against merging music with "electronic distribution," I feel that opponents to full disclosure are dangerously bound to find themselves in the past. Full disclosure is the future, for better or worse. And they may as well get on the side of better. Rather than whine and argue it for years, make a decision, and move forward with it, for the betterment of everyone.

ivan · 3 years ago

aha! the RIAA analogy is a good one (let's add the MPAA to the lot as well) they will eventually listen to your "embrace change" pledge but only when there is no other option left and after they've exacted the last possible penny of the comsumer using non electronic-distribution means.
Full-disclosure (whatever that means) is not the thing of the future, it is the thing of the past and if it still an acepted practice is because before it there was no web, no bugtraq, no google, no security advisories and no publicly available information about security flaws. That is the only known and tested alternative and it is demostrably a failure.

Some people, surpisingly some smart security industry analysts and not surprisingly some greedy businessmen , choose to ignore reality and would like us all to go back to the age of security obscuratism. I've been there, it wasn't any fun and I don't want to go back. You can play ostrich if you like but don't expect me to do it.