Disclosure: vulnerability pimps? or super heroes?

[gem at cigital.com (Gary McGraw)]

Hi all,

The neverending debate over disclosure continued at RSA this year with a
panel featuring Chris Wysopl and others rehashing old ground.  There are
points on both sides, with radicals on one side (say marcus ranum)
calling the disclosure people "vulnerability pimps" and radicals on the
other saying that computer security would make no progress at all
without disclosure.

I've always sought some kind of middle ground when it comes to
disclosure.  The idea is to minimize risk to users of the broken system
while at the samne time learning something about security and making
sure the system gets fixed.

Disclosure is the subject of my latest Darkreading column:
http://www.darkreading.com/document.asp?doc_id=118174

What do you think?  Should we talk about exploits?  Should we out
vendors?  Is there a line to be drawn anywhere?

gem

company www.cigital.com
podcast www.cigital.com/silverbullet
book www.swsec.com



----------------------------------------------------------------------------
This electronic message transmission contains information that may be
confidential or privileged.  The information contained herein is intended
solely for the recipient and use by any other party is not authorized.  If
you are not the intended recipient (or otherwise authorized to receive this
message by the intended recipient), any disclosure, copying, distribution or
use of the contents of the information is prohibited.  If you have received
this electronic message transmission in error, please contact the sender by
reply email and delete all copies of this message.  Cigital, Inc. accepts no
responsibility for any loss or damage resulting directly or indirectly from
the use of this email or its contents.
Thank You.
----------------------------------------------------------------------------