Wednesday, November 2, 2016

Can't We All Just Get Along?

from here

Now, I'm not generally one to defend Microsoft, but full disclosure is a tool to get uncooperative vendors to take action on vulnerability reports, and not only has Microsoft developed a reputation as being a company that does take action, but also 10 days isn't nearly enough time to decide that they aren't going to take action.

Presumably the early disclosure was because the vulnerability is being actively exploited, but active exploitation doesn't make developing a patch any easier or less time consuming. Nor does it make users magically capable of using the disclosed information to protect themselves, and users are the people who are actually affected by disclosure, not the vendor, because disclosure will ensure that exploitation increases.