In the security community, the topic of full disclosure has been discussed for what seems like an eternity. Essentially, it is the discussion on whether or not the full disclosure of vulnerabilities prior to vendor notification is useful or harmful to the computing world at large.

There are really two thoughts on the subject. One side of the argument is that full disclosure forces vendors to patch their software as quickly as possible. The alternative view is that full disclosure only harms the users of the product since there is often very little they can do to patch. Assuming that there is a vulnerability in a product that is not publicly disclosed, the users of the product would be relatively safe because the vulnerability would not be known to the community at large. Of course, that does not mean that the details of the vulnerability are not known by someone out there. It just means that the average script kiddie does not have access to exploit code.

So, which side is the correct one? Who cares. While it may be important to the security industry to figure out what is the best way to approach the discovery of new vulnerabilities, debating on which side is the best is a waste of time. The problem is that we aren't the ones who decide to release vulnerabilities publicly without full disclosure. Therefore, debating on which approach is better is a little useless since no matter what we decide on, both things are going to happen anyway. It's not like what we decide upon, if we ever could, would affect what the others in the world will do. It's like debating whether or not apples or oranges are better fruit. Some will choose one. The rest will choose the other. Will a consensus within a small group change the eating habits of the world? I doubt it.

We are doing a disservice to ourselves and the people out there. If I was looking from the outside in, I would have a lot of trouble taking the industry seriously. If we are so focused on the little things that don't matter, how could we expect others to have faith in us to have good arguments on the things that are.

That's not to say that the topic isn't important. There are a lot of reasons why we should continue to have these discussions. First, and foremost in my mind, is user education. There are a lot of people who don't necessarily know of the benefits and/or drawbacks to full disclosure. It's important for the community to take a leadership role in security and educate others. However, we all talk about full disclosure like it's the most important thing since the discovery of sliced bread. There have been numerous articles and blog posts about the benefits and drawbacks to full disclosure by people who have been in the industry for years. However, there is a big difference between talking about it once in a while and discussing the same thing over and over again endlessly.

In the end, I think we are doing a disservice to ourselves (and maybe I shouldn't be grouping us together). A lot of times, it looks like we act like silly children when we combat on something that really doesn't matter. Which side of the full disclosure debate is really not important as it's going to happen anyway. It's what we do and what we have taught others to do when full disclosure affects us that's important.