The controversy is easy to spot. Making a cracking tool publically available means that blackhats? will get their hands on them. It also means that |whitehats? will get their hands on them, and that the vulnerability WILL get patched, and fast. It is often looked upon as good practice to give a vendor prior warning if the bug is not beeing exploited in the wild - so that they may have a patch ready at the time of disclosure. This, however, does not apply if the vulnerability is actively exploited, for example if you find an exploit on a cracked system you administer.
Full disclosure came to life after it became clear that the method employed by CERT didn't work out as intended. Vulnerabilities was reported to the companies that made software, which in term asked for more time to fix the problems. In some cases it is rumored to have taken years before a patch was issued. In the meantime, the vulnerabilities were actively exploited by crackers. The tendency by software companies to ignore warnings became known as security through obscurity.
To address the controversy of disclosing harmful information to the general Internet community, including blackhats?, [Rain Forest Puppy]? developed the RFPolicy, which is an attempt to create proper way to alert vendors to security problems in their products, and what to do when the vendor fails to respond.
future expansion of article should mention:
See also:
![[Home]](wikipedia.png)