Rule 2: Full Disclosure of Bugs and Holes Benefits Security

As cited above, some vendors may feel comfortable shipping software with security holes with the expectation that the software is so complex and proprietary that no one will find them -- the tree hasn't fallen if no one was there to hear it fall. Some security professionals feel uncomfortable with the publicity that security holes and problems receive. They worry that announcing security exploits can give the "bad guys" ideas about how to attack systems. On the other hand, the security community on the Internet has committed itself to sharing knowledge about holes and possible exploits: numerous mailing lists like bugtraq and newsgroups like comp.security.unix maintain open discussions intended to identify and then close holes. It's somewhat paradoxical, but the routine public disclosure of security problems benefits the overall security of the Internet and the systems on it. Security through disclosure works. Note: This doesn't mean you should widely publicize a security hole as soon as you find it. Protocol requires that you contact the system vendor or authors of the affected program first, thus giving them a chance to develop a fix. It's good when security holes are announced. It's best if they're announced along with fixes.