- Fotis' Blog - https://fotisl.com/blog -

Full disclosure… or not?

One of the biggest problems I face sometimes is what should I do when I find a bug. I recently found a bug at the linux kernel version 2.6.30, which was fixed at 2.6.31, but I only told it to a friend of mine. Posting the description to a mailing list or at my blog would mean that everybody could write an exploit and use it to hack into systems. I could also write a patch which could be merged at the next release. For the moment I chose not to do anything until the next kernel release and if it wasn’t fixed I would then decide what should I do.
I face the same problem when I write security related programs. For example, a rootkit that can be used for malicious purposes can also be used to demonstrate bugs at the design of an operating system. Should a program like this be released?
I have created the following two polls. I believe that the results are going to be very interesting!