No, we are not talking about security through obscurity. It is common to notify the maintainers of a piece of software about a security hole before you notify the public to give them chance to fix the problem. If you find that the door locks are broken in your subdivision due to a manufacturing error, are you going to announce on the radio that the doors cannot be locked and invite every thief for a visit or are you going to replace the locks first and then notify everyone else about the problem? Avi cogNiTioN wrote:
How do we know it was unknown. Unpublished, probably; unknown, almost certainly not. It is logical that if you found the hole, you're not the only one capable of finding it, and therefore not the only one who has.
Tell us we're not back to security through obscurity?
How many other unknown bugs are people able to compromise us using?
I thought one of the whole benefits of OSS was that security holes could be found quicker, published to the community (BugTraq anyone?), and patched by individuals while waiting for the vendor to do so.
-- Avi Schwartz Get a Life avi@CFFtechnologies.com Get Linux