[Owasp-singapore] Poll: Full disclosure or wait until vendor releases fix
Wong Onn Chee
ocwong at usa.net
Tue Jul 6 12:03:55 EDT 2010
With reference of
http://www.theregister.co.uk/2010/06/30/windows_exploit_spike/, I like
to seek your view on this perennial question:
Should we practice full disclosure before the fix or wait until the
vendor releases the fix?
The cons of the former have been mentioned in the above article that it
gives rise to increase in number of exploits.
For the latter, the problem is sometime the product vendors drag their
feet in releasing a fix.
To them, they usually focus on vulnerabilities which have known public
exploits first, instead of those discovered but undisclosed vulnerabilities.
Like to hear your personal views on this question.
More information about the Owasp-singapore