pseudo-flaw.net

According to this eWeek article, Caught in a (Real) Security Bind, RealNetworks is unable to get information on the RealPlayer 11 vulnerability currently being offered by Gleg as part of their VulnDisco pack.

In a quote attributed to Chad Dougherty of Carnegie Mellon's CERT/CC:

We'd like to see the issue get fixed. We don't get into the politics of disclosure. Our objective is to get the information flowing in a way that end users are protected.

The sense of futility reminded me of Jeremiah Grossman's article Businesses must realize that full disclosure is dead. In it, he makes the following spot on observation:

While ethics, morals, and professionalism should always be fundamental tenants of how professionals conduct themselves, it's irresponsible to design security strategies based on the assumption people will be. Business owners and software vendors have a responsibility for the data they protect and the products they sell. They must take into consideration the environment around them, understand that it's hostile, and be pragmatic in their approach. Have no expectation that anyone is going to share any vulnerability information ahead of time. Pray they will before going public, but do not depend on it and frankly, it's hopeless to demand it.

Vendors need to recognize that conducting proactive vulnerability research into their own products must be an integral part of the software development lifecycle. Find the vulnerabilities before someone else does. That has become the only way to stay ahead.