Hundreds, if not thousands, of machines are unnecesarily compromised each day. But most of these breakins could have been avoided if administrators had been aware of just a single vulnerability - the one that affected them! How do these administrators keep up with the plethora of security issues exposed every week? Today, there are primarily three ways to discover these vulnerabilities: vendor fixes and patches, security advisories published by one of the myriad of groups (CERT, CIAC, etc), and full disclosure mailing lists such as Bugtraq.
But how effective are each of these methods? How responsive are vendors to security problems when they aren't being pressured by someone threatening to go public? Are the proponents of full disclosure helping to fix the problem, as they believe, or are they creating more of a problem by divulging vulnerability exploits before a fix is available?
We will analyze this issue from all three perspectives, discussing both successes and failures of each method, and discussing what steps we need to take to remedy the problem. People have very strong feelings on this topic, and its sure to provoke interesting discussion.