Why fair disclosure is so difficult

It can be difficult for people to keep a secret at the best of times, and this is particularly true in the world of cyber-security. The whole industry rests on secrets, but some of them must be disclosed to make the user community safer. Disclosure of security flaws is a complicated and tense process, both for the researchers that discover them, and for the vendors that must fix them. Approaches range from full disclosure, where everything is made open immediately, through to fair disclosure, where information is made available on an agreed schedule. There are many nuances in between. Danny Bradbury explores the continuum of disclosure, and analyses some strengths and weaknesses along the way.