I came across this blog entry today:
http://blogs.securiteam.com/index.php/archives/133
I do agree with much of what is being said there. Sometimes when you screw up, you just have admit it (or hire a lot of lawyers).
What has occured to me is that while many companies are accused of treating security issues as a PR problem, this is exactly what the researchers do. I work with a variety of researchers and respect most of them. They do a great service to the computing world and I thank them for it. It can be pointed out though that this is a grand dance, where some researchers want to make an issue sound incredible so they get press, and some vendors want to pretend it's not as bad as it seems. Somewhere in the middle is the truth. Whenever a researcher or a vendor skew the severity of an issue, it's the users that lose.
Part of our goal at Red Hat is to keep our secuirty process as transparent as possible. If someone questions what we did or why we did it, we can point them at a bugzilla bug for example. We also keep a great deal of statistical security information here:
http://people.redhat.com/mjc/
