Suppose you are a software vendor and you discover a serious security flaw in one of your popular products. How should you deal with the situation? You could try to hide it and hope no one else discovers it, or you could release a patch with full details of the vulnerability. Of course, there are several options in between those two, and this article in the ACM Queue discusses how to choose one. There are other considerations once you decide on an approach, such as how much detail to disclose, whether or not to give credit for the discovery to an external organization, and the timing of the announcement.
Overall, the following possible approaches are covered: silently patch; patch and announce without details; patch with full disclosure; announce without patch.
Post a Comment