Making people aware that vulnerabilities exist and how to protect
themselves is a good thing. However, I won't be able to participate in
such a newsgroup, and if Mozilla security problems are going to be
disclosed rapidly, this will seriously limit my and probably Netscape's
ability to participate in Mozilla security discussions. Basically, the
publishing of vulnerabilities will have to come from Netscape's PR
department, not from me or any other security engineers. I make a
distinction, as you apparently do, between technical discussion of
security bugs between engineers from different organizations, and public
disclosure of these bugs. I am much more interested in the former.
Along those lines, I am opposed to any hard and fast deadlines on the
public disclosure of any security bug information (such as requiring
disclosure of a vulnerability within five days). Such a requirement is
unnecessary, since the reporter of a bug has the option of taking it
public at any time.
-Mitch
Ben Bucksch wrote:
> Even if we don't fully disclose bugs, it is very important to have
> notifications about them.
>
-----
Views are mine, not Netscape's