|
|
|
|
|
|
by abugheratwork
2559 days ago
|
|
|
I agree with the idea that availability of information is good, and that information about the context for a security-related change should be made transparent. But how relevant is it? I would think relevant enough for FAQ or other reference information. I wouldn't include it in announcements, though. The headline is "patch available, mitigating known exploit". "Not yet widely exploited" is barely a footnote. The release of a patch can bring enough attention to make the window between release and full deployment of the patch the single worst time to be vulnerable. If I tell you it wasn't being exploited yesterday, and you delay patching based on that information, and then the storm of exploits blows through ... I'd feel bad. |
|
|
Maybe you wouldn't, but US-CERT, Mozilla, etc. do...
https://www.us-cert.gov/ncas/current-activity/2019/06/18/Moz...
https://www.mozilla.org/en-US/security/advisories/mfsa2019-1...