

Forget Disclosure — Hackers Should Keep Security Holes to Themselves - npguy
http://www.wired.com/opinion/2012/11/hacking-choice-and-disclosure/

======
saurik
The author makes it sound like an exploit, when found, is a magical object of
wonder that was found by extreme luck and skill and thereby, if ignored, will
cause no problems... in fact, from spending a lot of time with the kinds of
people who routinely find an use these kinds of bugs (iPhone jailbreak scene),
I feel pretty confident saying: in exploitable bugs are extremely common, they
are often easily findable by people with relatively little programming
experience (with fuzzers, or even just normal usage), and in most situations
(normal computers or even small devices that do not spend inordinate amounts
of time on anti-exploitation measures) do not take rocket science to
exploit... in a world with these properties you have to assume that "the bad
guys" already have the exploit you just found, and thereby any time the vendor
spends obfuscating the bug fixes (which this guy claims is somehow important
or useful) is just increasing everyone's risk.

------
WettowelReactor
The quote "Vendors are motivated to protect their profits and their
shareholders’ interests over everything else." misses the point. You cannot
build share holder value over any extended period of time by screwing your
customers. It is cheaper in the short run not to patch flaws but completely
detrimental to you long term image. Just look at Microsoft who is still seen
as the poster boy if insecurity despite nearly a decade of security reform.

