A thread among Linux supporters might be interesting to read. First a word of warning: it contains some bad words, so it might be good to abstain if your environment doesn't allow them. Anyway the thread is archived here.
My personal feelings:
- Security bugs are different from normal bugs as they require security staff to respond to them. If we don't know the developers silently fixed security bugs, only our adversary might find them out and exploit them.
If a linux kernel panics when a user uses the system, that's potentially a bad risk on availability, but the responsible(s) for risk and security might also be concerned about confidentiality and integrity in their environment and nobody but they would know what is more valuable to them and their organization. If we collectively put them in the dark, they'll have to choose blindly.
- I'm sure we all feel our task is most important. Finance will feel that getting invoices paid is the most important thing, R&D will feel that without their products nothing would be there to invoice, support will feel that without them no customer would want to pay for the crap development crafted, ... we're all important parts of the machine to generate money, let's get over that and allow the others to do their part without crippling them.
- I fully agree there is way too much media attention and fame involved with creating exploits, publicizing vulnerabilities, and the like.
We've unfortunately a major circus starting soon in Las Vegas doing just that.
I wonder when the first security researcher (should that not be insecurity researcher?) will hire a PR agency to help him make the discovery public most effectively. Or has that been done already, after all quite a few companies out there offer monetary incentive to be allowed to publish such research ...
- Full Disclosure, including "weaponized" exploits is not what we need as defenders. In fact, it creates more victims in the short run. The long run is hard to predict, but I doubt it'll change much regarding the creation of an attitude to only release "bugfree" software.
- Open source has a fundamental issue with security bugs. On one hand, the public availability of source documents the bug, even if it's not pointed out. On the other hand it's next to impossible to warn the defenders before the attackers of security bugs. Full Disclosure might be one of the more extreme solutions pushed by some. It seems Linus is pushing hard for the complete opposite: obscurity, which isn't a solution either.
Hence we need a better balance.
I like the OpenBSD solution a lot, but that's looking at track record in results, not at the method, which -I'll admit- is quite harsh if you're a developer from an alternate OS, nor the egos involved.
Let us know what you think, how you would balance the need, ... and in a few days I'll publish a follow-up diary [please keep it a bit more "G" rated than what Linus did]
Swa Frantzen -- Section 66
Jul 29th 2008