[olug] Security Vulnerability Disclosures

[Eric Penne]

I'm lookin for a rational discussion not a flame war on the benefits of
full vs delayed disclosure of security vulnerabilities.  I know this topic
generally borders on the flame war type of discussion but I'm reasonably
certain OLUG is above this childish crap.

I'm not a security professional by any means.  I run my small webserver
for my family and another for a friend.  As the sysadmin though I put
trust in the groups that I get software from.  One of those trusts is that
the software is secure.  I think that if the software is found to have a
vulnerability then it is my best interest to know right away so that I can
take action to prevent my servers from getting cracked.  If that means
taking my crappy little servers off line then I'll do that.  Another of
those trusts is that the software group tells me or publicly posts
information that I can find to alert me to the vulnerability.

I know some corporations cannot take machines offline.  How much of this
debate is about security, saving/making money from the security
information, and pure public relations?

In the end, I'm the person responsible for the ultimate security of my
machine.  I don't like people knowing something about my machine (which is
a reflection of me) that I don't know about.  If I had cancer, the doctor
would not withhold this from me, because it is about me.  This is one of
the reasons I like to use open source software.  Even though i don't go
through the code to find vulnerabilities, somebody else out there may be
doing it and they are not bound by some stupid EULA for non-disclosure of
problems.

The preceding was just a thought I had.  Comments, criticism, and general
thoughts are appreciated.  Flames will be sent where they belong, file 13.

Eric