singularity's Journal: On responsible disclosure...

A C|Net article, as referenced on Macintouch:

At the heart of the issue is the software industry push for "responsible" disclosure, which calls on researchers to delay the announcement of security holes so that manufacturers have time to patch them. That way, people who use flawed products are protected from attack, the argument goes. But the approach also has benefits for software makers, a security expert pointed out.

"As long as the public doesn't know the flaws are there, why spend the money to fix them quickly?" said Bruce Schneier, chief technology officer at Counterpane Internet Security, a network monitoring company. "Only full disclosure keeps the vendors honest."

Hey - I have a solution! Who not simply say "Our policy is to release the details of the hole exactly one month after notifying the company."?

Mr. Schneier is correct - only full disclosure will keep the vendors honest. I do not see how giving a set time before releasing the exploit causes problems with this.

Now, I will say it is very possible that the article was written to have these two somewhat unrelated paragraphs next to each other. One seems to be talking about an embargo for a while after notifying the company, and the Counterpane quote seems to be talking about justifying releasing the information at all.

I can think of one problem with it

[Marxist Hacker 42]

Not all bugs can be fixed in a month. Some may take a few hours, some may take a complete re-engineering of the system and a four-month software cycle to complete.