In his blog (which is one of the few on my "Daily Reading" list), Adam Shostack has a really interesting post entitled "The New Transparency Imperative". He makes the point that the new disclosure laws are going to do a great service.

And, while I agree with him, I think we really need to talk about the dark-side of the point. Everyone's running around touting the benefits of SB-1386 and laws like it, but we're forgetting the very real damage that disclosure can cause.

We've had a "responsible disclosure" debate in the vulnerability research community for a whole lot of years - the point is simply that, while disclosure forces everyone to be responsible, sometimes, you can have too much of a good thing.

The recent VA compromise is a great example. The analyst whose laptop was stolen obviously potentially compromised a large amount of personal data. However, the average domestic laptop theft isn't a targeted act - the purpose isn't to steal data, but to steal a laptop. However, with the amount of disclosure that happened in this case, it's a safe bet that, if the thieves didn't know what they had stolen (and the value of the data on the laptop), there's no question that they do now.

We likely won't ever know if the thieves stole the laptop for the sake of the laptop, or for the sake of the data. But, if the disclosure had been a little more discreet, it's at least possible that they wouldn't have known what they stole.

I'm not suggesting that we shouldn't disclose - I'm only saying the same thing that has been said about exploits and vulnerabilities for the past 10 years: we need to find a way to be responsible about it.