How is it better to not look into or share such information when we know that a vast army of assholes are doing the same thing for nefarious purposes?
Yes, they might not spot it themselves, but we know that in practice they often do and the results are horrible. If we stop looking then they will definitely be the first to find vulnerabilities - as it is they are only sometimes the first (and the vulnerabilities they find are likely to be the lesser appalling ones).
Privately sharing the issue with the authors lets them fix it in a timely way, publicly announcing the issue after a reasonable period of time incentivises them to do so - corporate authors often won't bother unless their arms are twisted.
If those black-hat hackers were not really out there then I might agree with you, but they are, and they don't care that we don't like it.
In a way I am definitely seeing your perspective here. Letting "good guys" win this race ocassionally is an improvement over never letting them win.
It's just that I think we can do better, because I think the web is a hostile, vitriolic open sewer and must be governed properly before civilized business can be conducted on it. It was perhaps a great innovative place, but it now is a dumpster fire causing endless headaches and beyond redemption. I think it's time to face this reality instead of trying to dress up the turd.
Are you not aware that the internet is an international artefact? Will you institute a Great Firewall to prevent your citizens from seeing outside your borders?
An inconvenient question I often ask about proposed architecture changes is: "How will you get there from here?" - if you can't answer it then it's not going to happen.
> if you can't answer it then it's not going to happen.
My point is that if we as a technical community don't start looking outside our technical bubble the powers that be will at some point figure out a way to get there from here and without consulting you (us). But maybe that's wrong and maybe nothing's going to need changing. I hope so.
Yes, they might not spot it themselves, but we know that in practice they often do and the results are horrible. If we stop looking then they will definitely be the first to find vulnerabilities - as it is they are only sometimes the first (and the vulnerabilities they find are likely to be the lesser appalling ones).
Privately sharing the issue with the authors lets them fix it in a timely way, publicly announcing the issue after a reasonable period of time incentivises them to do so - corporate authors often won't bother unless their arms are twisted.
If those black-hat hackers were not really out there then I might agree with you, but they are, and they don't care that we don't like it.