Another argument for disclosing vulnerabilities to the public if they are not fixed after a certain amount of time is that you never know when “bad guys” have discovered the vulnerability. So, eventually it is a service to let the public know that their information may be insecure, and nothing is being done to secure it. This (depending on the nature of the vulnerability, etc), allows the public to make an informed decision about whether they’d like to continue using an insecure product or service. (It also often has the side-effect of motivating some companies that can’t be bothered to care about their customers’ security to actually do something about it.)
8 Likes
