An uncomfortable month makes a quiet year

In an ideal world, a month of bug hunting wouldn't be needed. In reality, it does more good than harm
Written by Leader , Contributor

After the Month Of Apple Bugs, the Month of PHP. Opinion has long been divided about such efforts.

The proponents say that such a focus encourages people to think in new ways, and to spend time finding and documenting problems that they'd just never get around to otherwise. Those against say that it's a publicity stunt that goes against the grain of proper, steady security research, bringing problems to the surface before there's been a chance to fully research them and their solutions.

There are problems with the Month approach, certainly. It gives people such as Bill Gates the chance to say to Newsweek that: "Nowadays, security guys break the Mac every single day. Every single day, they come out with a total exploit, your machine can be taken over totally. I dare anybody to do that once a month on the Windows machine", which might seem like pure fantasy but is probably related in some way to the Month Of Apple Bugs.

The accusation that it is dangerous to release too many security flaws at once is slightly more valid. It's still responsible to first inform those who can fix a problem before making it public. In many cases, though, without the attendant sting of publicity, the problem gets pushed to the back of the queue: bugs are fixed in the order in which they're likely to embarrass a company. If it takes irresponsibility to fix irresponsibility, then so be it.

If anything, MOAB's inability to find major flaws in the Macintosh operating system did nothing but good for that system's reputation for solid security design — almost to the point of encouraging the complacency that will doubtless bite in time. Nobody would claim that computer security needed less thought, not more; secrecy, not publicity, has kept most vulnerabilities unfixed until an exploit forces the issue.

Like Red Nose Day, Red Face Months may annoy as many people as they help. They may disguise the real issues behind a fuzz of feel-good action. They may even inspire compassion fatigue. But while the underlying problems remain, they're imperfect but important — and those who'd have them stopped have only to fix the problems they raise to get their wish.

Editorial standards