Exploit release

[Martin Bealby <mxb285 () bham ac uk>]

I was thinking about the process of exploit release recently, due to the
case of the Frenchman publishing his finding of research into those
steganography programs, when I came upon a strange thought.

If I find an exploit, and publish it straight away, I could annoy a
(possibly large) number of users, and the software developers. Although
I don't see how I could sensibly be attacked legally.

However, if I find an exploit, notify developers, wait a certain time
period (also told to the developers), and the developers have not and
will not fix it, what can I do? If I publish anyway, wouldn't I be open
to possible blackmail charges?

Which option would be best to follow?

Personally, I think it's a difficult choice. Option one seems to cover
your own back but could lead to a large number of exploited machines,
while option two should (theoretically) lead to fewer exploited machines
(due to software updates), but could turn nasty. If I was faced with
this situation, I'm not sure what I would do.

Cheers,
Martin

Attachment: signature.asc
Description: This is a digitally signed message part