Jose Alberto Guzman wrote: > It may be better to set a deadline for the disclosure, instead of a > coordinated disclosure.
A deadline is some form of coordination, although a rather unidirectional one. 8-) Often, more flexibility is desirable. > OTOH, it may also help to coordinate the actual release, and not just > the announcement, so that fixed packages are not available to the public > until everyone makes the announcement. This way the time window of fixed > package to announcement gets smaller (only when the mirrors are up to > date), and a clever hax0r cannot monitor changes in important packages > (ssh, kernel, apache), and dig for unannounced fixes. Usually, announcement and patch release are closely coordinated, and for free software, there is often not even a separate announcement. Deliberately silent fixes are rare. Some netfilter defects were resolved this way (in early 2003, IIRC), but that's unusal for free software.
