[ziddoap]

>I'm very much in-favour of the private vulnerability research and responsible disclosure, but the "no silently patching vulnerabilities" sounds more like dick swinging to me than actually wanting to improve people's security.

Rather than dick-swinging, it's generally an acknowledgement that large organizations move slowly and need a bit of prodding to apply patches in a timely manner.

If you're a big-and-slow company, there is a significant difference in how quickly you'll worry about applying the patch that says "here's a minor patch" and the patch that says "here's a patch for a severe vulnerability".

I have worked with several companies which simply will not update something unless they are either mandated to or it is a large enough security risk.

Read more about Rapid7s opinion on silent patching at https://www.rapid7.com/blog/post/2022/06/06/the-hidden-harm-...