Microsoft has blogged about a call for a better Coordinated Vulnerability Disclosure in response to the recent Google fiasco (Google released information of a Windows flaw to the public before Microsoft had released a patch). I think there are times when open communication between even the biggest competitors is necessary, and security is one of those times. If you tarnish the security reputation of one product, consumer’s will view other products with a similar distrust.
Those in favor of full, public disclosure believe that this method pushes software vendors to fix vulnerabilities more quickly and makes customers develop and take actions to protect themselves. We disagree. Releasing information absent context or a stated path to further protections, unduly pressures an already complicated technical environment. It is necessary to fully assess the potential vulnerability, design and evaluate against the broader threat landscape, and issue a “fix” before it is disclosed to the public, including those who would use the vulnerability to orchestrate an attack. We are in this latter camp.