>> Perhaps not, but I feel we can, and should, do our best to try and get
>> everyone updated before giving attackers the information they need to
>> exploit people.
>
> Well I certainly agree with that.
... which was the goal in doing early notification of the cloud
providers. They were indisputably the biggest potential targets for the
recent vulnerability. And they *didn't* get hacked, so the strategy was
materially successful. Whether or not a different approach would have
been equally/more successful is, at this point, "monday morning
quarterbacking" as we say in the 'States.
I'm a pragmatist. I'm looking for the policy which protects the most
users from script kiddies. If that policy is fair and democratic that's
also good, but less important than preventing people from being hacked.
This is where I, personally, am coming from.
The problem with early notification from this perspective is that the
more organizations receiving early notification, the greater the chance
of a leak, at which point you've done the opposite of protecting users.
On the other hand, the problem with no notification is that you create
a race between black hats and admins as to who can deploy the fix vs.
the exploit faster, which isn't good either. I don't know that any
organization has a clear answer to this year, including large commercial
software vendors.
--
Josh Berkus
PostgreSQL Experts Inc.
http://pgexperts.com