> > I'd rather see a fix before the whole wide world notices that my > > servers can be compromised. Like if I leave my door wide open, and > > notice it at the way toward the office, I'd first phone the > > neighbours, and not tell everyone who happens to come by. > > > Not quite the right metaphor. Indeed. > Public announcement of security problems: Anyone's allowed to tell you > your door is open. It's up to you whether you close it straight away, > or wait for someone to tell you how to close it. This is not public announcement. This is announcement to ME, a "closed list". Anyone can find the vulnerability, and notify the vendors and upstream, the ones who have the ability to fix it. However, would they announce it publicly, I'd get robbed straight away, before I get a chance to rush home or phone the neighbours.
Attachment:
pgpKXFx6vfA8D.pgp
Description: PGP signature