More Turtles!

I guess every time I read misguided commentary about vulnerabilities, I should be allowed to respond, since I am not in the majority (yet ;-) ). In this case, you can tell Jason really supports my viewpoint, and I’ll show you where and why. 

The value of vulnerabilities
Jason Miller, 2006-03-07

An unfortunate title – Freudian slip? Happens to the best of us sometimes.

There is value in finding vulnerabilities. Yet many people believe that a vulnerability doesn’t exist until it is disclosed to the public. We know that vulnerabilities need to be disclosed, but what role do vendors have to make these issues public?

Now, for whatever reason, the public disclosure of a vulnerability is often considered to coincide with its very existence. Even the often-used term "zero-day" seems to imply that an undisclosed vulnerability doesn’t really exist yet. This belief is a mistake that too many people make. It’s as if people are under the impression that these vulnerabilities don’t actually pose any sort of threat until they’re publicly disclosed.