Re: Public disclosure of discovered vulnerabilities

From: D. J. Bernstein (djb_at_cr.yp.to)
Date: 05/17/05


Date: Tue, 17 May 2005 18:13:16 +0000 (UTC)

Nicol So wrote:
> I've been careful not to assign blame

You said that ``public announcement of a vulnerability'' harms users.
That statement is, on its face, a declaration that a bad effect (the
harm) was caused by a specific prior action (the disclosure). You then
argued that this was a reason to avoid the prior action; so you were not
merely stating causality but in fact stating blame. Perhaps you should
read http://www.law.duke.edu/journals/64LCPSolan.

But I really don't care about the terminology. What I care about is your
continued failure to acknowledge a particular class of critically
important positive effects---namely, disclosure leading to designers and
implementors taking extra care and producing systems that don't _have_
the security holes in the first place.

All of the effects that you've been talking about, however important
they might seem from a short-term perspective, are negligible compared
to the overwhelming influence of designers and implementors upon users'
security. Even the tiniest contribution of disclosure to this mechanism
is vastly more important than anything dreamt of in your shortsighted
philosophy. Your failure to consider this effect is a fundamental flaw
in your ``optimization'' of disclosure.

---D. J. Bernstein, Associate Professor, Department of Mathematics,
Statistics, and Computer Science, University of Illinois at Chicago



Relevant Pages