Reveal More.... Bugs!

In recent news Opera employees called foul on Mozilla for giving them only a day's notice about a security flaw Mozilla discovered before publicly disclosing the security hole to the public. Without considering the politics and circumstances surrounding the conflict, one may observe that Opera's cry brings again to bear an often discussed security issue: what policy of revealing security flaws best serves the public interest? Influenced by my reading of the book "The Cuckoo's Egg", I believe Mozilla's policy of fairly transparently publicizing security holes as they discover them is of greatest benefit to their user base. The above mentioned book describes multiple real-life accounts of hackers compromising exploits known to the exploits' authors, as well as authorities, sometimes for whole years, but not publicized at large. If details on these exploits were promulgated to administrators everywhere, these people would have been both empowered and made responsible to protect their machines against the exploits.

Opponents of rapid exploit dissemination argue that publicizing flaws without fixes alerts hackers to these flaws faster than they would discover them on their own, but, especially with the case of open source software, hackers have free access to all codebase updates and can always easily search for exploits on their own. Also, Mozilla only provides access to detailed exploit information to a smaller circle of privileged users, so that information on how to exploit a flaw is not as easily obtained as general knowledge about it. Finally, software users themselves, aware of the exploit, can take precautions as necessary, potentially even turning off or discontinuing use of vulnerable software until a fix is found. Other advanced users can even actively contribute to solving a problem by submitting patches themselves. Overall, the benefits of a mostly transparent process of security bug publication outweigh the associated risks and provide the best protection to the public at large.