Jeff's InfoSec Blog

Thoughts about information security, privacy, and regulatory compliance. Brought to you by Jeff Newfeld, the product unit manager for security solutions in Microsoft's Core Infrastructure Solutions group.


Is finding security holes a good idea?

  • Comments 35
  • Likes

Some interesting papers came out of the third annual Workshop on Economics and Information Security.  If you're an IEE Computer Society member you can read the full text.  Eric Rescorla's article, "Is Finding Security Holes a Good Idea?", provides a statistical analysis of a point I have long held:  that disclosure of holes is the prime driver for exploits, and that holding off on disclosure (which also means holding off on the fix) can in many cases reduce costs and improve security.  That may be counter-intuitive, but read Rescorla's paper and judge it for yourself.

S&P: Economics of Information Security

Your comment has been posted.   Close
Thank you, your comment requires moderation so it may take a while to appear.   Close
Leave a Comment