about disclosure of nimda logs

[lorenzo <lorenzo () digitalmind it>]

I agree with the fact that on those mailing lists there is a full
disclosure of vulnerabilities; but let us not forget that there is
usually a period of time left to the vendors to fix them.

So, why not allow a period of time after which the logs will be made
public?

The question is: can the owner of the machine be contacted?
If yes, then allow him 2 weeks.
If not, let's say 3 weeks.

I'm saying '3 weeks' because sometimes people don't want to leave
contact information, or their contact e-mail are too spammed - so it's
not necessarily their fault if they cannot be contacted.
But after 3 weeks I assume that every script kiddie in the world will
have the machine's address, so publishing it won't affect too much the
bandwidth.

Opinions?

-- 

lorenzo
lorenzo () digitalmind it