The Ashimmy Blog

Article in e-week yesterday outlined yet another potential critical flaw in Internet Explorer.   It does not seem that  it is for certain whether or not this flaw can actually be exploited though.  One thing I did not like about this, is the researcher who found it, blindsided Microsoft by not first notifying them of the flaw.  This raises an ethical question of whether someone who finds a new vulnerability should have some sort of moral obligation to report the flaw first to the vendor whose product has the flaw, so that they can fix it before the bad guys find out about it.  With many companies like 3Com paying for new vulnerabilities, I think we are not giving much of an incentive for these people who discover these new bugs to do the right thing.  Then on top of this when the media interviews them and treats them to their 15 minutes of fame, the researchers get drunk on the attention. You can't blame these guys for racing to make their findings public under these circumstances.