I strongly support the publishing of vulnerabilities as long as proper protocol is observed.Although true that it may be used in a malicious manner after publishing,chances are it already is being used.Case in point-the debate over the "Code Red" virus and the IIS vulnerabilty.The vulnerabitiy was uncovered,not discovered by Eeye Digital Security and was so stated in their advisory.The advisory was published after the software manufacturer had made public a patch.Thus stressing the importance of admins to keep up to date on security patches(yes,I know,easier said than done-we all are running a heavy work load).It's a catch-22......publish it,and have it used maliciously( which it probably already is or will be) or keeping it quiet and depending on the software manufacturerers to 1.make a patch 2.make the patch available in a timely manner.I think making the problem public expidites the availability of a patch.....stimulates discussion and further analysis about the problem,thus hearing different view points.....and hopefully stresses the importance of good sound security practices,which cannot be ignored any longer-none of us has that luxury any longer.The threats are out there,always have been and probably always will be.....keeping them under wraps and "hush,hush" will not make them go away.
