Full vulnerability disclosure is impractical

The scramble over Dan Kaminsky's DNS flaw discovery proves that full disclosure is simply not feasible, heard delegates at RSA. Ira Winkler, president, Internet Security Advisors Group, said: "I simply don't believe in full disclosure. I realise that there are arguments on either side, but this case represents the best and worst about vulnerability disclosure."

Winkler said he believed that the critical DNS flaw was already known to hackers before the researcher's discovery. "Some people obviously knew about this years before, certainly at a government-agency level. I've worked with the NSA, and yes, they are trying to hack software we'd all be pretty disappointed if they weren't!"