[alan_cx]

From an ignorance and slightly tongue in cheek POV...

...is there a difference between discovering a new exploit and discovering a company is open to an old or well known exploit? This sounds like the latter.

I'm all for disclosure of a newly found exploit because by doing so you are informing every one who might have the problem and that allows them to take action, etc. But if this is just one business who refuse to fix a known problem then, well, that's their stupidity, no?

See, the bit that bothers me is that publishing the "news" that one company is vulnerable has to be a bit iffy. Its like publishing a list of buildings that don't have good door locks or something. We don't see that in the real world, so why would it be reasonable for the IT world? I mean, there is no legitimate list of vulnerable buildings created by white hat burglars, is there? Its never been legit for such burglars to gain access to a building and leave a note describing the poor security on the CEO's desk.

[Chirono]

  Its never been legit for such burglars to gain access to a building and leave a note describing the poor security on the CEO's desk.

Unless, of course, you happen to be Richard Feynman. Which most of us aren't.

http://www.silvertrading.net/articles_lagniappe_01_richard_f...

[thornofmight]

I've had "Surely You're Joking" on my Kindle for almost a year now and have never read it, but every time I see anything written about Feynman I realize that I'm almost certainly missing out. He sounds like the most interesting man.

[msg]

You are missing out on a readable book divided into short chapters. It's basically all anecdotes. Easy to intersperse with your other reading.

[schiffern]

>I mean, there is no legitimate list of vulnerable buildings created by white hat burglars, is there?

But the interesting question is not whether such a list has ever been written. The interesting question is whether such a list is legal to write.

Maybe such a list would be beneficial in the long run. Anyone who has practiced lock-picking knows that most lock-based security is little more than an elaborate honor system.

[rdtsc]

> I'm all for disclosure of a newly found exploit because by doing so you are informing every one who might have the problem and that allows them to take action

You also assume that it is the company that will suffer and they are the ones that have to take action. A lot of companies are public facing companies that store and maintain sensitive customer information. I thought the main reason to disclose the research is not to help the company not lose millions at the end of the quarter but to warn their customers that this company can potentially leak your information.

> Its like publishing a list of buildings that don't have good door locks or something.

It is like publishing a list of buildings that store others belongings (like a bank) that doesn't have locks on them. You want to disclose that fact because chances are someone else found the vulnerability and is exploiting it. It would actually seem very irresponsible to not disclose it in that case (after say it turns out many people's stuff goes missing).