Comment by wglb
4 years ago
>Generally in the security sphere we consider it the most ethical and responsible
I would reword this to say
>Generally in the security sphere we consider it the most obedient
The earlier wording severely disadvantages the end-user of the opportunity to know that they are working with broken software and to find an alternative.
That's fair. It's the attitude I've seen the most of in the people I work with/around, and it's rubbed off on me a bit. There are definitely people who believe this is a disservice to the users, and I don't necessarily disagree with them.
Personally, I agree most with tptacek in another comment, that this is on a continuum, and depends on the vulnerability, situation, and who's involved. If there's a good faith effort to develop + push a patch to a very wide install base of hardware which realistically is being ignored by the sysadmins (no change of being replaced, and impacting people using them in e.g. public places), I think it can be ok to embargo details.