Mike Rothman’s Daily Incite yesterday pointed me to a post on Disclosure at Securosis.com. (Mike indicates this is Rich Mogull’s blog, so I will call the writer Rich.)
Rich has some interesting things to say, but falls into the usual trap of believing that there really aren’t any bad guys exploiting vulnerabilities out there. In that case (no true bad guys), we "need" good guys to disclose vulnerabilities to keep the vendors honest. (Of course, this is silly since without bad guys vendors are honest in this respect anyway).
For those of us who do believe there are bad guys who will exploit vulnerabilities regardless of disclosure, it is easy to see why the disclosure discussion holds no water. Without a doubt, a vendor would be kept more "honest" if the identified vulnerability came at the time of an in-the-wild exploit. People would care a heck of a lot more. We would have better security solutions. It is clear as day for anyone who doesn’t have a stake in the game.
It is actually a pretty interesting post, with a lot of truth to it. But Rich needs to do a bit further analysis to get to the right conclusion.
He also completely ignores two other big issues: 1) scarcity of discovery collisions (bad guys are unlikely to find the same vulns as good guys); and 2) conflict of interest.