On the first point, I think you’ve missed what we’re saying. You have to consider who the actors are who are willing to pay to suppress vulnerability information. While there are many people who want to suppress, there are demonstrably very few will to pay for the suppression. They are, almost entirely, the bad guys. I think you’ll agree that taking vulnerabilities out of the hands of the bad guys is a good idea.

Second, the history of vulnerability repair is very clear on this point. Prior to the wonderful world we have reached today, precious few software makers would fix even the most egregious flaws without, as you put it, “blackmail” to move them along. We also recognize that this lever to move vendors can be and has been misused, sometimes more than occasionally. We don’t propose to solve all the problems here, merely that the balance of factors tips in favor of disclosure.

Our final point is somewhat more anecdotal, but is based on direct experience in large enterprise security operations. I’m curious about your purported “proof.” I think you may be falling into a common trap of thinking that the number of incidents and the visibility of incidents is interchangeable with rigorous calculation of risk. For the latter, we need to understand the true costs of incidents in business terms and there are many examples of very serious incidents that have never been publicly disclosed, the prevention of which would trump many times over any of the big public events like worm outbreaks. These incidents increasingly use previously unknown vulnerabilities.