Full-Disclosure Wins Again 122
twistedmoney99 writes "The full-disclosure debate is a polarizing one. However, no one can argue that disclosing a vulnerability publicly often results in a patch — and InformIT just proved it again. In March, Seth Fogie found numerous bugs in EZPhotoSales and reported it to the vendor, but nothing was done. In August the problem was posted to Bugtraq, which pointed to a descriptive article outlining numerous bugs in the software — and guess what happens? Several days later a patch appears. Coincidence? Probably not considering the vendor stated "..I'm not sure we could fix it all anyway without a rewrite." Looks like they could fix it, but just needed a little full-disclosure motivation."
Re:I agree with you for the most part, but... (Score:3, Informative)
The only gray area is determining just how much time is reasonable to release a patch. The standard accepted period these days seems to be between two weeks and two months. Mozilla's CEO would say "ten fucking days." Escaping part of an SQL string or recompiling code with a buffer overflow check doesn't take all that long to do.
If a vendor chooses to ignore a researcher, it does not change that fact that the researcher acted responsibly by providing the vendor with the courtesy of a "heads up" warning.
Re:Require login, forbid any subdirectory access. (Score:3, Informative)