You do a very good job of describing the purpose of vulnerability disclosure as a means of achieving better information security. You draw the conclusion that the things you've described are *bad* -- many other people draw the conclusion that these things are *good* and in particular find it important to remind vendors that they cannot expect the public to accept marketing propaganda in lieu of the truth.
The point really is to make vendors, users, admins, and others who desire real security aware of the fact that there are resources available to them where good people post the exploits that bad people otherwise develop and keep to themselves. We cannot prevent bad people from sharing exploit information.
Do you honestly prefer not to know that your software is flawed and that those flaws are being exploited to cause your customers harm?
How many times will your customers be harmed between the time that a vulnerability in your product is first discovered and exploited and the time that you are notified or find it yourself and then 1) release a fix, 2) communicate the need for the fix to your customers, and 3) achieve 100% install base for the update?
Your own story of discovering BugTraq the hard way shows that prompt disclosure to the public created instant security hardening, without your involvement or consent, of systems running your vulnerable software.
Why do you expect to be the only person responsible for your customers' security? That is just emotional nonsense-thought driven by a system of values that you acquired from Microsoft without realizing it. I've been in contact with you on an irregular basis for almost a decade, such as when I wrote about your software in "Setting Up An Internet Site For Dummies" -- and in many ways my professional path resembles your own. I can tell you from personal experience, and from the experience of watching you and people like you struggle to comprehend information security after-the-fact, that your opinions on this subject have been shaped by the way that Microsoft discovered information security after-the-fact. You have been spoon-fed knowledge of infosec through pain and suffering, just like every other Windows user/developer/admin.
What you still don't realize is that other vendors' customers, Linux houses, etc. didn't go through such a long and difficult learning curve to arrive at awareness of security. How much longer will it take for us defected Windows professionals to achieve the level of understanding of and concern for security that the rest of our industry has possessed for decades? I don't know the answer to this question, but I do know that it's amazing anyone paid us to do work at all during the 1990's because on the whole we did them harm through our lack of awareness.
It sure is a good thing that legal product liability does not exist in the software business.
Sincerely,
Jason Coombs jasonc@science.org
Alun Jones wrote: ...
...I really don't know why _you_ signed up for Bugtraq. Me, I signed up because someone posted an exploit for my software here some time ago, and didn't bother to tell me about it first. I'd like to think that isn't Bugtraq's purpose.
