[Koffiepoeder]

What I don't understand is:

I'm a big fan of maintaining a forced 90 day disclosure period to pressure companies that do not address relevant security bugs.

But why, when a security issue is fixed, whitehats tend to always disclose immediately? Since it is fixed it is not relevant any more, and disclosing now only increases the likelihood of a hacker abusing the bug. Instead wouldn't it be better if the targeted entity just disclosed that "a critical security vulnerability was found" and that "users should upgrade immediately"?

I don't see the point of disclosing the specifics of a fixed security vulnerability soon after the fix? I understand that recognition is an important factor, but isn't it more logical to delay the recognition step for e. g. 6 months?

[kbenson]

Because blackhats look through updates to determine what has been fixed by reversing the change, and try to capitalize on the time between an update being available and it being widely deployed. The more you raise awareness of people that might be susceptible to attack in that time frame to get them to update sooner than automated systems would allow, the less victims there are to exploit.

I imagine there's probably a short time after update release, almost definitely in the single or double digit hours range, where you might be helping the blackhat that would reverse it do it quicker, but it's probably hard to do more harm than benefit by releasing the details earlier than later.

[ilikepi]

Well, even if the bug report wasn't disclosed, there's a decent chance it was reverse engineered out of the patch that was released a week ago by anyone with enough determination. It seems like the act of disclosing it soon after the patch is available allows information to propagate through the security community, which in theory helps accelerate the spread of the update.

[the8472]

People need to know when to update. Disclosure provides an incentive to do so, especially in corporate eenvironments.

Hackers on the other hand don't need to be informed, they can always look for juicy bugs the moment fixes are rolled out.

[tpush]

A hacker doesn't need the disclosure if a patch is already available.