Comments on: Partial Disclosure – The Good, Bad, and Ugly http://www.veracode.com/blog/2008/10/partial-disclosure-the-good-bad-and-ugly/ Application security testing, analysis, and metrics Tue, 15 May 2012 22:16:53 +0000 hourly 1 http://wordpress.org/?v=3.3.1 By: CG http://www.veracode.com/blog/2008/10/partial-disclosure-the-good-bad-and-ugly/comment-page-1/#comment-2291 CG Wed, 22 Oct 2008 00:17:26 +0000 http://www.veracode.com/blog/?p=408#comment-2291 I'm not sure that partial disclosure is the way to go at all. The idea of researchers saying "I know something that you don't know" poses quite a challenge to a group of people who pride themselves on figuring tough problems out and generally believe that there should be few secrets that some know and others do not. Giving security people a few pieces of the puzzle and then expecting them to wait for the rest and/or keep quite once they figure out the puzzle? naaaa. Not to mention the FUD that promptly ensues (just like you mentioned and we say with the DNS vuln). I'm also not sure a "No Homers" club to decide on the impact of vuln is the right way to go either for the reasons you mentioned. But it is certainly within the rights of the researcher to chose their own disclosure method. I’m not sure that partial disclosure is the way to go at all. The idea of researchers saying “I know something that you don’t know” poses quite a challenge to a group of people who pride themselves on figuring tough problems out and generally believe that there should be few secrets that some know and others do not. Giving security people a few pieces of the puzzle and then expecting them to wait for the rest and/or keep quite once they figure out the puzzle? naaaa. Not to mention the FUD that promptly ensues (just like you mentioned and we say with the DNS vuln).

I’m also not sure a “No Homers” club to decide on the impact of vuln is the right way to go either for the reasons you mentioned. But it is certainly within the rights of the researcher to chose their own disclosure method.

]]>