Pre-eminent bugfinder Charlie Miller mentioned an interesting approach to disclosure after he compromised another Apple system - demonstrate the attack, describe how the vulnerability was found, and let the chips fall where they may. (Actually, I think his “teach a man to fish” approach might have been ancillary to the pwn2own contest…)
At this stage of [...]
Answer: Yes.
Here’s how: The software element of the risk equation only accounts for vulnerabilities, it doesn’t address threat. So we can reduce our vulnerability level and therefore have “more secure software” in the midst of increased risk. This manifests itself in a higher number of incidents, which is the outcome of the threat and vulnerability [...]
Robert Graham at Errata Security has yet another thoughtful post - this one on the “rudeness” of vulnerability disclosure. His key point:
“However, vuln disclosure isn’t friendly. It is an inherently rude act.”
It is an interesting post, primarily focused on the psychological relationship between bugfinders and vendors, but the thing I find the most puzzling is [...]