Ahh yesterday’s 0day has predictably re-opened the “going-nowhere” debate on disclosure. I’m pro-full disclosure. I’m not anti-responsible disclosure, though, when appropriate.
The bottom-line for me: I’d rather know about the issues and have them exposed so I can deal with them, than to have them stifled or hidden or the exposure delayed. Disclosure improves our security (responsible or full).
(While I am happy to respect responsible disclosure folks their opinions, there isn’t really an argument that would change my mind, just like I expect no argument of mine would change their ideas or those of the “no disclosure” camps. It just is as it is. I’m happy with the current state of vulnerability disclosure. Kinda like abortion rights, I think this is one of those areas where staying on the fence is the right choice, versus standing on one side or the other without any real clear, inarguable reasons [short of any bias, like the ‘duh’ of a vendor preferring anything *but* full disclosure…].)