TheAnimus is highlighting the difference between those who think being open source with full disclosure and proof of concept (or "how to" hacking guides for script kiddies) is preferable to closed source and responsible disclosure.Originally Posted by rajagra
Arguments for full public disclosure are invariably along the lines of "the public has a right to know" and "it puts pressure on the developers to get it fixed".
I have NO clue what the argument for "proof of concept" code publishing is, but personally I view both of these as shouts of "look at me! look at what I can do!" rather than being genuinely helpful.
The pressure is of course placed on the users of the software affected who have to do impact analysis tests before deploying to a live environment, and this is assuming they even bother to get the patches in the first place (Code Red & Nimda would not have been issues if everyone had applied the patches which had been available for up to 18 months).
There is then the opinion that "more eyes looking at the source code means less security holes", and this concept is coming under scrutiny by Symantec at al right now.
The Register has had a few articles of interest this month:
Firefox Security Flap
Symantec Threat Report
Linux Firefox Flaw
Mozilla Growing Pains