Here is an excerpt from a recent SearchSecurity.com article that we found interesting…
If 2006 began the trend of researchers launching ‘month-of’ flaw disclosure projects, 2007 was the year such projects ceased amid a rising wave of criticism among those who thought it was more about ego than better security
“Software vendors are notorious for taking months or years to produce a security patch,” said Metasploit Framework creator H.D. Moore, whoseMonth of Browser Bugs in July exposed 31 browser holes, most affecting Microsoft’s Internet Explorer. “The ‘Month-of’ projects put pressure on the vendor to address an issue in a reasonable amount of time. In my experience, nothing produces a patch faster than a published exploit.”
LMH, the researcher behind the Month of Kernel and Month of Apple bugs, said, “It’s better to have someone disclosing your security flaws than having them known by the bad guys, only. This pushes the vendor to change its procedures and policies for vulnerability handling and disclosure. And that’s where users benefit.”
But with the Month of Apple Bugs now underway, some security bloggers are criticizing the disclosure projects as something designed more for press attention than better security.
That’s not to say the critics don’t find some value in what the researchers are doing.
The Security Curve blog, for example, takes on the issue of press attention while still finding value in exposing Apple’s security holes.
The full article is here.