Russian Researcher Sets Vulnerabilities Free

Intevydis, a previously little-known Russian security firm, is making a name for itself by releasing details of unpatched zero day exploits at the rate of one a day for the rest of this month.While the Intevydis hole-a-day revelations are aimed, the firm says, at the inadequacies of "responsible disclosure" (keeping vulnerabilities generally quiet while giving the vulnerable software's manufacturers the chance to patch the hole), there's a lot of buzz about whether or not the Intevydis move is itself irresponsible zero-day exploit disclosure.

Irresponsible -- or worse, some say.

No surprise there -- this sort of thing comes up from time-to-time, and the back-and-forth about its ethics (or lack thereof)comes up right along with it.

That's one that won't be solved, certainly not any time soon.

But any time soon applies to patching the bugs as well: Some of the holes Intevydis is revealing have been around for years. They don't get patched for a variety of reasons, but one that we've all heard is that a particular vulnerability is "low priority."

Maybe so -- for the software maker. How low the priority for the exploiters, though, is a question, at least one of them, that the Intevydis revelations may begin to answer.

The Intevydis blog discussing the month of bugs is here.