[haswell]

This seems like a fallacious analogy to me.

Why is a cracked bridge dangerous? Because anyone traveling over it or under it is at risk of being hurt if the bridge collapses. Warning people that it is cracking does not increase the likelihood of a collapse.

Why is a software vulnerability dangerous? Because anyone who knows about it and has nefarious intent can now use it as a weapon against those who are using the vulnerable software, and the world is full of malicious actors actively seeking new avenues to carry out attacks.

And there are quite a few people who would exploit the knowledge of an unlocked door if given the chance.

There’s a very clear difference in the implications between these scenarios.

[pixl97]

A cracked bridge is always dangerous.

A vulnerable piece of software is always dangerous.

There are large numbers of state funded exploit groups and otherwise blackhat organizations that find and store these vulnerabilities waiting for the right opportunity, say economic warfare.

Much like building safe bridges from the start we need the same ideology in software. The 'we can always patch it later' is eventually going to screw us over hard.

[haswell]

I agree with the conclusion that we need safer software from the start.

But we also have to deal with the reality of the situation in front of us.

I will maintain that the differences between the implications of revealing a crack in a bridge vs. prematurely revealing a vulnerability to literally the entire world are stark. I find it pretty problematic to continue comparing them and a rather poor analogy.

> There are large numbers of state funded exploit groups and otherwise blackhat organizations that find and store these vulnerabilities

This underscores my point. What you’ve been describing is a scenario in which those organizations are handed new ammunition for free (assuming they don’t already have the vuln in their catalog).