Then there's the issue of whether disclosing the security bug will help system administrators implement work-arounds to protect their systems. It almost needs to be on a case-by-case basis.
>>>>FWIW, we write software that alot of people used. If someone reported a bug to us that said one of our calculations was off, thats something we want to fix, not something we want to be critized for.
>>>>
>>>>If there is a security bug in IIS, if I were MS, I'd rather fix the bug and release patch instead of creating a Code Red scenario every 2 weeks. And, as a user of Windows and IIS, I'm glad we don't have a code red every two weeks.
>>>
>>>Great point.
>>
>>The IIS issue may be a great point, but VFP ain't IIS and there are no CodeRed-like worries with VFP!
>>As to the other point, Fox Software didn't suffer any ill effects from making its bug list public. In fact I bet that that very fact attracted users rather than deter them.
>
>Whether I want full disclosure depends on the situation. For VFP, yes I would like to know what to look out for and have that in KB articles and an Index. When it comes to software bugs where disclosure would be a red flag for hackers, I want a patch and immediate availability instead of disclosure first.
Previous
Next
Reply
View the map of this thread
View the map of this thread starting from this message only
View all messages of this thread
View all messages of this thread starting from this message only