The Other Side of Full Disclosure

Danny Quist of Offensive Computing has a guest blog post on Full Disclosure at ZDNet. (Note: this means I didn't bring it up, somebody else did).

Not surprisingly, I have some comments (mostly reiterations) to some of his points, excerpted in italics:

It floors me to think that it is acceptable for
vulnerabilities to be left unpatched for a serious amount of time.

I can understand the emotion behind this comment but not the logic. As it is, there are many vulnerabilities that are left unpatched — all the ones we don't know about yet.

consider 90 days to be entirely too long to patch a vulnerability.

This sounds like an arbitrary number of days. It would be great to understand Danny's background with global software development to understand how he can conclude that this is "entirely too long."

You can disagree with full disclosure, but it is a useful
motivational tool. … Limited or closed
disclosure creates complacency, which amounts to willful neglect.

Again, here are conclusions that are unsupported. I can believe that full disclosure is motivational, but I am not sure this brings about more secure software. In addition, I think it would be much more motivational for software companies to have to deal with exploits in the wild. The final point here is a simple opinion with no basis.

I wish there was some other way than full disclosure to motivate
vendors. Unfortunately it is the only method available that has a proven track record of working.

This really is closed-minded thinking. With the process as broken as it is already, we need more people thinking outside of the box. There IS another way to motivate vendors – seek out undercover vulnerabilities being exploited in the wild. After all, these exploits are oft-mentioned and yet also ignored. These are the ones I worry about most.