Relation between disclosure and risk
Posted Sep 17, 2005 3:08 UTC (Sat) by vonbrand
In reply to: Firefox buffer overflow and full disclosure
Parent article: Firefox buffer overflow and full disclosure
It is not so simple... The risk is a growing function of how many black hats know about the problem. So, the disclosure increases risk, as black hats as a whole are rather secretive about their exploits. On the other hand, knowing about the risk helps taking countermeasures, so decreases risk. It simply isn't clear which of the two tendencies wins out. I'd wager that most users just rely on the "automatic upgrade" of their software, so public disclosure (somewhat) synchronized with the patch release schedule of the vendors should minimize risk.
to post comments)