Security threats Toolkit

Story: Do 'irresponsible' security researchers help or hinder?

• 
• 

Here are a few key points:
1st: The guys who write the software should know it better than those who wish to exploit it. Therefore, even if a flaw is released publicly, the software creators should be able to release a patch for before anyone can exploit it. From there on out, it's up to the users to ensure they are up to date.

2nd: An unreported flaw always tends to be an un-patched flaw. How many flaws have we heard about that were first reported to, say Microsoft, then later released into the public domain. Only after the flaw was made public was the vendor willing to admit to the flaw and make a patch for it.

3rd: People who exploit flaws, don't tell anyone about it. That would be counter-productive to their efforts. So if security researchers discover a flaw, it's entirely possible that that particular flaw is already being targeted by virus writers and hackers. If it is only reported to the vendor and not the public, the vendor will surely take their time patching, by which time those wishing to exploit it could have already done the damage.

4th: If a flaw is made public, a virus writer is less likely to want to exploit it since they know a patch will soon be released and their virus would become less damaging.

5th: Publicly reporting flaws shows the public just how many holes their are in their $/£00000 software and helps them to make an informed purchasing decision when they decide to upgrade or migrate. This will cause software writers to write better code and reduce the cost of the software.

In conclusion, making this information public speeds up the process of patching these flaws. It also helps force vendors to create higher quality software. It helps purchasers to make more informed choices and alerts users about possible exploits before the exploit is exploited.

• 
• 

• 
• 
• 

Full Talkback thread