There have been and continue to be ongoing debates as to whether disclosure of security vulnerabilities and software bugs are required. Proponents of free speech, open software, and a majority of consumers say absolutely. Companies that create software of course disagree. These companies often state they are reputable and fix their security vulnerabilities and software bugs as a top priority… after all they have their customers best interest at heart (or a set of PR statements to that effect).
Here is a perfect example of why disclosure is necessary. How would you feel if you paid extra for an unlisted phone number service yet anyone on the internet could find your address that knew your phone number? It is reasonable to assume that if your phone number is unlisted you would not want your address available, even to those that may know your unlisted phone number. Lauren Weinstein found this exact vulnerability. In the guise of responsible disclosure, he contacted the company and informed them of the vulnerability. He posted about the vulnerability on his blog, not mentioning any information that would reveal the vulnerability. The company responded with a nice letter basically saying, they were doing nothing wrong. So after a little debate, Lauren posts the vulnerability. Guess what happens next? Yeah, the company is going to fix the vulnerability.
Unfortunately, this will always be the case. At the end of the day, companies are there to make money first. It doesn’t make financial sense to spend money on resources to fix a vulnerability or software bug when that same money can be spent on resources to add new features that customers want and have stated they will pay money for. Disclosing the problem changes this balance and forces the companies to do the right thing.
