[mikeash]

And again with the ridiculous analogies.

It's really difficult to have a serious discussion about computer security vulnerabilities when people keep comparing it to throwing rocks through windows or weapons of mass destruction.

And yes, it's relevant, because the severity of a problem can and does influence how problematic various approaches are.

This is a local root exploit. Those are common and not generally problematic. The barrier to escalating from a normal user to root is at best the absolute last line of defense, and often completely irrelevant. It's a problem that should be fixed, don't get me wrong, but the severity is about 2 out of 10.

The fact that I think it's not a bad thing to release information like this has no bearing on what I would think about releasing information on building a suitcase nuke from household ingredients.

Could we try to keep the conversation grounded, here?

[gress]

If you had been saying before now that this wasn't a severe bug and so we shouldn't be too concerned about disclosure, then you wouldn't have been presented with these strong counterarguments.

But that isn't what you've been saying - rather, you've been making the general argument that releasing information is not damaging or bad, and that we should only hold the people who exploit vulnerabilities responsible - not those who disclose them. Multiple people have argued against you on this.

Now you have switched your position to 'It's not bad to disclose vulnerabilities unless they are severe'. This seems much more reasonable, and came as the consequence of you being presented with what you are calling 'ridiculous' analogies.

To me this seems like a serious discussion done right.