[Owasp-singapore] Poll: Full disclosure or wait until vendor releases fix

Wong Onn Chee ocwong at usa.net
Tue Jul 6 12:03:55 EDT 2010


Hi folks,

With reference of
http://www.theregister.co.uk/2010/06/30/windows_exploit_spike/,  I like
to seek your view on this perennial question:

Should we practice full disclosure before the fix or wait until the
vendor releases the fix?

The cons of the former have been mentioned in the above article that it
gives rise to increase in number of exploits.

For the latter, the problem is sometime the product vendors drag their
feet in releasing a fix.
To them, they usually focus on vulnerabilities which have known public
exploits first, instead of those discovered but undisclosed vulnerabilities.

Like to hear your personal views on this question.

Cheers!

-- 

Best Regards
Onn Chee



More information about the Owasp-singapore mailing list