On 3/23/11 9:46 AM, J. Oquendo wrote:
How about we reflect reality?
We can't honestly do that, we all only have our perception. It's funny how we can get stuck in a trap of 0 and 1.
My perception is we'll always disagree on disclosure technique, or at least nitpick some minor detail into infinity like we do with politics or religion. We're human after all.
That said, bugs exist whether we find them or not, every software has them, and if the author had never reported them that in no way implies they were not already known and/or being used for subversive means with the potential intent to cause harm.
I guess I'm oldsk00l enough to like responsible disclosure, but also anti-authoritarian enough (who's making the rules? why are they god?) to believe this is not black and white. Scare away those who disclose (regardless of method), and you're left with undisclosed vulnerabilities the bad guys with the most to gain ($$$ to invest in teams of hacke^H^H^Hengineers, not just script kiddies) still know about and can most effectively leverage.
I say the only bad disclosure is no disclosure. If vendors can't move fast enough, they'll be usurped by those who can make better use of new processes and technologies to keep up with trends.
PS: Is this really "hot" now? My only thought when I read the original post was "about time" -- SCADA has been known (as in publicly aired on broadcast television) to have many gaping vulnerabilities for at least a decade. The (obviously bogus) justification was usually it's restricted deployment model.