Bruce Schneier says “full disclosure is the best tool we have to improve security“.
Woah, that’s rather like saying “wheeled vehicles are the best tool for ground transport of passengers”. There are many different kinds of wheeled vehicles, and there are many different kinds of “full disclosure”.
Most often, “full disclosure” means “complete and immediate public disclosure”. Such disclosure essentially acts like the starter’s pistol in a race between the malware authors and the software developer. I’d rather see the software developer get a head-start in that race.
Public disclosure was initially used as a reaction to vendors’ irresponsibility – Microsoft is the vendor most people think about, but these days a certain database company comes more instantly to mind as a company who, even when given the extra time before the starter’s pistol goes off, tends to hang around behind the stands, smoking a cigarette, and denying that there’s a race coming up.
Public disclosure is great as a punishment for current and ongoing lack of action – but as a punishment for past misdeeds, it’s very much cutting off your nose to spite your face. A vendor who is trying their best to be responsible now – even one who has always been responsible – has to deal with the fact that they have to start the race at the same time as the malware authors.
Worse, with so many different disclosure mailing lists, newsgroups, chat servers, web forums, etc, a vendor has to try and figure out a way to respond to the starter’s pistol at every athletic venue that might be hosting a race.
In such an environment, where it’s impossible for most vendors to spend enough time discovering the “exploit mailing list du jour”, this immediate public disclosure, stops well short of “full disclosure”, because it informs a large group of people that generally does not include the one group that can most widely spread a fix – the vendor.
In summary, it’s not full disclosure until you’ve disclosed – directly – to the vendor. It might be fun to think you’re taking the high-ground by punishing the vendor, but it’s more likely that you’re punishing the users by presuming that their best hope is going to waste time even if you notify them.
The true high-ground comes when you notify the vendor, so that if they’re worthy of punishment, you can tell the public that even after you notified the vendor directly and gave them every reasonable assistance, they still failed to act in the users’ best interest. Or, the vendor acts on your notice, and you still get to claim the high-ground, because your actions directly helped the users whose security was under threat.
So, yeah, I agree with Bruce – full disclosure is our best hope. But full disclosure doesn’t begin until you’ve disclosed to the developers / vendors, and I think it’s disingenuous of Bruce not to discuss what full disclosure means to him, versus what it means to others.