Withholding A Security Patch
from the not-such-a-good-idea dept
The issue of whether or not to disclose a security hole before the software has been patched has been discussed many times – and not everyone agrees on the proper response. However, what do you do when the people who have the patch refuse to make it available? That’s what apparently happened recently, when the security hole in BIND was made public. The Internet Software Consortium told people who were not on their mailing list that they needed to email them to get the patch. Then, instead of just giving them the patch, they tried to convince them to sign up for their paid support service. The move has angered a lot of people. This goes beyond simple disclosure questions into actively withholding the information needed to fix a security problem.
