Why full disclosure is an important tool

Guest editorial by Danny Quist

On one side we have the people that are doing remarkable work by researching these flaws, disclosing them with appropriate warning to the vendors, and letting the public know about the problems. On the other side of the argument are the limited disclosure people.

[ SEE: Adobe swings and misses as PDF abuse worsens ]

The advocates of limited disclosure are excellent researchers who I know and respect. It floors me to think that it is acceptable for vulnerabilities to be left unpatched for a serious amount of time. I consider 90 days to be entirely too long to patch a vulnerability. The fact that Adobe said that a patch would be issued 18 days after the public disclosure is highly irresponsible.

[ SEE: Critical Adobe Flash Player patch coming ]

You can disagree with full disclosure, but it is a useful motivational tool. Microsoft responded well to their problems. They created a security development process that is unparalleled in the world. Adobe, it's time for you to step up as well. Limited or closed disclosure creates complacency, which amounts to willful neglect.

I wish there was some other way than full disclosure to motivate vendors. Unfortunately it is the only method available that has a proven track record of working.

* Danny Quist is the CEO and co-founder of Offensive Computing.