Re: Public disclosure of discovered vulnerabilities

From: D. J. Bernstein (
Date: 05/15/05

Date: Sun, 15 May 2005 06:54:21 +0000 (UTC)

Nicol So wrote:
> The issue here is how the timing and manner of disclosing security
> vulnerabilities affect the user community.

In your analysis of the effects, you're ignoring the fact that shooting
the messenger reduces pressure on the designers and implementors who are
ultimately responsible for creating these security problems in the first
place. The impact of this long-term pressure is vastly more important
than any of the short-term issues you've mentioned.

> The discoverer cannot change history

Irrelevant. The problem is much larger than one historical error. The
problem is a gigantic _pattern_ of designers and implementors creating
security holes. Punishing designers and implementors for their mistakes
creates an incentive for them to be more careful in the future.

Your shoot-the-messenger attitude reduces the punishment, and therefore
reduces the incentive. You're seeing punishment as a bad thing because
you're ignoring the massive long-term benefits of the incentive.

---D. J. Bernstein, Associate Professor, Department of Mathematics,
Statistics, and Computer Science, University of Illinois at Chicago