Then there's the issue of whether disclosing the security bug will help system administrators implement work-arounds to protect their systems. It almost needs to be on a case-by-case basis.

>>>>FWIW, we write software that alot of people used. If someone reported a bug to us that said one of our calculations was off, thats something we want to fix, not something we want to be critized for.
>>>>
>>>>If there is a security bug in IIS, if I were MS, I'd rather fix the bug and release patch instead of creating a Code Red scenario every 2 weeks. And, as a user of Windows and IIS, I'm glad we don't have a code red every two weeks.
>>>
>>>Great point.
>>
>>The IIS issue may be a great point, but VFP ain't IIS and there are no CodeRed-like worries with VFP!
>>As to the other point, Fox Software didn't suffer any ill effects from making its bug list public. In fact I bet that that very fact attracted users rather than deter them.
>
>Whether I want full disclosure depends on the situation. For VFP, yes I would like to know what to look out for and have that in KB articles and an Index. When it comes to software bugs where disclosure would be a red flag for hackers, I want a patch and immediate availability instead of disclosure first.