Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

You're missing the key point: the patch is disclosure to the bad guys.

The P0 disclosure is the disclosure to the good guys and users.

You're assuming that the bad guys are learning about the problem from P0's disclosures, but without P0's disclosures, the bad guys would still learn about the old bugs from the patch itself.

So which is a better situation: a world in which only the bad guys get the information about broken old versions, or a world in which everyone gets the information?



I'm not missing that point. "Which is better" is not measured by who has "information". If only the bad guys have the information, but they still fail to exploit, that'd be an awesome world. Somehow infosec folks seem to keep treating this as an information game rather than a security game.

The way I'm suggesting you measure "better" by measuring actual hacks, and how the number of actual hacks is changing based on whether you insert a delay or not.

So we go back to my question above, which you didn't address. I'm saying the fact that patches come out on a regular basis means that people would still have to update regularly, even if each individual patch comes with a delay before a PoC etc. is disclosed. So I repeat the question: would customers really update regularly but actively filtering out patches whose disclosure deadlines haven't passed? If not, why wouldn't the delay that still achieve the outcome everyone is asking for here?


Information asymmetry is a key part of security - users not having information clearly does not make them more secure.

As noted elsewhere, patches are effectively disclosures, with some small delay (best described as an obscurity delay) baked in.


FWIW, I am much less likely to procrastinate on an update if I know it fixes a vulnerability.


On an update in particular? Or on the set of updates being applied to your system at a given time, if one of them fixes a vulnerability? (Do you filter out the ones that don't?)

And wouldn't a vulnerability still be there even if there wasn't e.g. a PoC disclosed? I'm not really sure how that affects what I'm saying.


> Do you filter out the ones that don't?

Of course not, that's a straw man that only you are suggesting and often isn't even possible on most systems. People by-and-large will apply all pending updates at once.

Responsible disclosure pushes folks to update. Well, that and new emojis that they're feeling FOMO from. It's a carrot and stick sort of operation.


There's a little box that occasionally pops up in the top right corner of my screen. I usually just click "remind me tomorrow" ad infinitum. But if I find out there's an important vulnerability that an update fixes, I go out of my way to update immediately. That's all I'm saying.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: