Full disclosures should be public

I’ve been following a thread on the Daily Dave-list (Which I of some unknown reason signed up for, I guess it was because of some interesting thread regarding vulnerabilities). However, the specific thread discusses an article that claims that immunity (which manages The Daily Dave), is acting unethicly and without responsibility (and I kind of agree with that).

So, what does Immunity do? The article stated above explains that rather well, so I’ll just quote that,

Security experts have hit out at US firm Immunity Inc, which provides paid-up members with vulnerability information under non-disclosure agreements (NDA), which it subsequently keeps from vendors and the world at large.

So, what this mean is that paid “customers” will get information on vulnerabilities but noone else. The Non-disclosure agreement that the customers signs keeps them from forwarding the vulnerability-disclosures to the public. I find this very unethical, foolish, unresponsible and stupid. They claim to do us a favor by not making these disclosures public, so that hackers can make exploits targeted against them. What keeps the hackers from signing up, and paying for the disclosures?

I think I’ll leave that list.

This entry was posted on January 01st, 1970 and is filed under Security. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response or Trackback from your own site.