Full disclosure

Full disclosure is a controversial subject when thinking about computer security. It basically means that if you discover a security vulnerability in some software, you should report it publically. If you find that someone has cracked your computer, and find non-previously discovered cracking tools - you should make them publically available, preferrably through Bugtraq.

The controversy is easy to spot. Making a cracking tool publically available means that blackhats? will get their hands on them. It also means that |whitehats? will get their hands on them, and that the vulnerability WILL get patched, and fast. It is often looked upon as good practice to give a vendor prior warning if the bug is not beeing exploited in the wild - so that they may have a patch ready at the time of disclosure. This, however, does not apply if the vulnerability is actively exploited, for example if you find an exploit on a cracked system you administer.

future expansion of article should mention:

• rain forrest puppy's policy
• history of full disclosure
• elias levy, and the article "smashing the stack for fun and profit"
• much more

See also:

• Secure coding practice
• Cracking
• hacking