But thats not how the security community works. Once this was posted literally every security team jumped on writing a PoC exploit and distributing it to customers. There will be point and click modules in Metasploit, IMPACT, and CANVAS by the end of the week at latest.
This is the key bit for me: Rubygems is literally straining with everyone being frantic to upgrade. Giving it a few days means that everyone can patch their apps.
I don't believe that everyone will listen to little old me, of course, but that doesn't mean I can't tell them I don't think it's a not-great thing to do.
You completely mis-understand my point. I don't think that this is the only person who knows this, that'd be idiotic. They are, however, the only person who posted it in this thread. Giving it more publicity. I don't think that that extra publicity is appropriate.
Even now you still think it's useful to hide information from the "general public" and avoid "extra publicity"?!
The cat is out of the bag. You can no longer negotiate with this reality.
Publicly disclosing a bug is like birthing a baby. Once it's sticking halfway out, just get it all the way out because it's counterproductive to try to hold parts of it back in.
The post does not include any directly usable exploit code and does not describe command execution vectors. Furthermore information about the bug were published on twitter almost a week ago. But I probably will not convince you about the advantages of Full Disclosure :)
No, I don't see what this adds, I only see how this can cause harm. Anyone who wants to learn more can wait until everyone's had a chance to patch their apps; they can also figure it out themselves.
All this does is allow people who want to do harm to not have to figure it out themselves.