That probably comes from my career in information security, actually doing the work in the real world rather than just talking about it.
Of course it is a good thing that the CSE is releasing this tool. Some people will use it and hopefully some patches will be released and implemented. Its not talked about much if at all (probably because its pure career suicide for insiders to do so clearly) but non government entities and non-state actors also keep collections of vulnerabilities to themselves.
That utopian sort of “one path or the other” ideal isn’t the world we live in. The full disclosure problem has never been solved, we don’t have a third way here unfortunately. More unfortunately the disclosure problem is getting worse.
OTOH if you are going to get snotty you could at least have addressed any of the points I raised previously.
“Utopian”? Seriously? The whole problem is that reality isn’t utopian. We want to protect our friends and expose our enemies, but we cannot do both. It’s one way or the other. Where is the utopia here?
I keep waiting for the other shoe to drop with the CSE open source release; where it’ll detect something major out in the wild, that they knew about, but would rather people discover for themselves instead of pointing the finger.
Is this a good gesture that floats everyone’s boat, or a game play on a shadowy board?