|
|
|
|
|
|
by Cyphase
993 days ago
|
|
|
(The details of the following depend on the nature of the flaw/exploit.) I think a pre-announcement gives much more advantage to the population of defenders than to the population of attackers. Attackers can move faster than most defenders, and they only need to find one weak link. Also there are a lot more defenders with various states of readiness, and only one attacker with the resources to spray the internet with the exploit needs to find it in order for there to already be a big problem. How much faster will attackers be able to do anything because they know it's coming? Mostly only as long as it would have taken them to hear about it. How much faster will defenders be able to do anything because they know it's coming? They can spend the next week making a list of things that need to be done and places that they'll need to deploy updates, so that when it's available they can act immediately and efficiently. The risk that attackers will suddenly find the flaw after years because they were told "there's a flaw in cURL" seems low. There is a risk that the details leak to attackers in advance of the release. |
|
|
> The risk that attackers will suddenly find the flaw after years because they were told "there's a flaw in cURL" seems low.
I’m not so sure about that. Still understand why they’re handling it this way but this is bait like a big red bullseye or rainbow with a pot of gold at the bottom …