I found an SQL Injection vulnerability in a peice of software that according to the site may affect over 20,000 websites. I have kept the advisory and proof of concept exploit private, but am curious how long it will take for the vendor to release a fix.
I have often felt that full-disclosure (FD) is the way forward. In other words, we release first and ask questions later. This approach appears to have ‘inspired’ vendors to patch more efficiently in the past, but at the same time it alerts the bad guys to write more exploits!
The argument by FD is that attackers may already be exploiting the vulnerability in the wild and that by releasing FD the security researcher is merely putting out a warning - as one would if a dam wall was about to collapse.
If we can measure and detect attacks on a global scale this argument may be addressed and debated in a better light. I do think FD can be terribly destructive if used by attention seekers who may choose not to release the advisory to the vendor at all.