On Mon, 6 Mar 2000, Jussi Laako wrote:
I'm viewing it from statistical point of view. Let's say that 10
know about the vulnerability (if we don't announce it to whole world),
not very likely that YOUR system gets hacked. But if we announce it,
about 1000 or 10000 crackers will know about it. Now it's much more
that YOUR system gets hacked?
Just an observation, but if 10 crackers know of a vulnerability then pretty soon it will be on a web site somewhere and the 1000, 10000 or 100000 will be just around the corner. They certainly wont feel any need to be discrete about it. It is certainly something that needs to be kept in mind when formulating a bug alert policy..