Jason, > > I've proposed to Microsoft that they stop publishing Mitigating Factors in > their security bulletins, and now it looks necessary to propose the same > in > a more open forum. > I disagree. From a risk perspective you need to know mitigating factors. To kill the hype that accompanies a newly discovered vulnerability you need a cool, dispassionate, overview of the problem. Your sample 'aggravating' factor was anything but, and would be more likely to add to the hype. I think your decision to ask Microsoft first is a sign of your prejudice, why not ask the Open Source communities to lead the way? I can see it now: "WARNING: By using Open Source code anyone can modify the source, replace your binaries, and completely root your system!" John Howie CISSP MCSE President, Security Toolkit LLC
