One last time, because nobody seems to address my basic question...
"from all accounts didn't intend to go public until after the problem was fixed",
Yes but....
Fixed how, when and where? By vendor issuing a patch? That doesn't fix anything. Nothing is fixed until all the users of the software have applied the patch. How much lead time is he giving people? Is he going to wait a day, a week, a month, a year?
The issue here is not this particular example, the issue is the principle.
I'm still waiting for someone to explain to me how the IT world in general benefits from him RELEASING THE DETAILS! Not finding and reporting the bug, that was not, is not, and never was the issue. The issue is he said he would release the details. WHY?
I'm not going to argue my shop doesn't have issues; but when a company is built by acquiring over time various other companies, has a history of weak central IT control (since corrected), has multiple lines of business spread across even more operating regions, all with some degree of autonomy (ever try telling a doctor "no"?), you're going to have some "legacy issues". Shit happens. What I don't need is people making things more difficult than they need to be.
And yes, our servers are behind appropriate multi-layer firewalls, but then you have things like USB drives, people with laptops who connect on public internets at home or while traveling, then come to work the next day and and log in: so various nasties WILL wind up on your internal networks, firewalls aside. May not be an attack vector in this case, but we're talking principle here.
And yes, I know the difference between responding to a virus outbreak and proactive patching; just in case you wanted to go down that path. This issue is about proactive patching, and whether or not you can control the number of critical out-of-cycle patches you need to apply due to heightened exposure.
Then you have the auditors who want to know if you're good with HIPAA, SOX, PCI, and many other legal restrictions; all of which impose various security/vulnerability requirements on us. Doesn't matter if a server is directly visible to the external internet or not.... and you should know that if you really have to maintain a significant server farm in a large business venture that includes personally identifiable information, or financial information, or credit card information, or health care information. Ask Sony about this concept someday.
So you end up having to patch EVERY vulnerability on EVERY server it could possibly apply to, because proving to an auditor that there is no theoretical attack vector due to firewalls and/or network segregation is more work than just patching things. Plus, you could be wrong.
So one more time:
How does DIVULGING DETAILS, not finding and reporting, benefit the greater IT community?
I'm OK with everybody telling me I'm full of shit if they would address my question, but nobody HAS yet addressed my original question: Why is divulging the details a good thing for US?
Yeah yeah yeah, good on him for finding and reporting... give him a merit badge, pay him a finders fee, write him a letter of recommendation, let him put it on his resume'.
What is the upside for us when he divulges attack details?
Anybody?
And no, not German; US.
Not sofware company; Health Care (did work for a US software company in the 80s).
Don't even run this software, could care less one way or the other.
I just think this guy (and others who behave similarly, as this seems to be a standard modus operandi in the 'white hat' community) do us no service by releasing 'how to' info, as he has no way of knowing how many users have completed applying the fix, and THEIR TIMETABLE IS NONE OF HIS BUSINESS.
Shrill? You bet. I just don't understand why the rest of you aren't also pissed off, so I must be missing something... so tell me please: what is the upside to ME of him divulging details? 'Cause I for sure can see the downside.
Last post on this, promise.