On Sun, 27 Feb 2000, Avi Schwartz wrote:
No, we are not talking about security through obscurity. It is common to notify the maintainers of a piece of software about a security hole before you notify the public to give them chance to fix the problem.
It may well be common, does that make it correct?
If you find that the door locks are broken in your subdivision due to a manufacturing error, are you going to announce on the radio that the doors cannot be locked and invite every thief for a visit or are you going to replace the locks first and then notify everyone else about the problem?
Fixing holes in software isn't as easy as just poping down to the shops to buy a new lock. If the problem affects quite a few people, and isn't fixable in a short space of time (time varies depending on severity), notify people then they can take steps to improve their security while the fix is being worked on, and may even help with the fix. A lock is not the only way to prevent access to your home, other steps can be taken if you suspect the lock may well be bypassable. If you aren't aware of the problem, you can't work around it, you can't take steps to fix it, you just keep on relying on it. /cog