If Not Full Disclosure, Then What?

’Sploit code for the latest Win32 vulnerability is starting to float around, unsurprisingly. And what does Stephen Toulouse, security program manager with Microsoft’s Security Response Center have to say? Why, that “[w]e continue to believe that the publication of exploit code is just not good for customers.”

Not to pick on Microsoft, but I just can’t figure out how else one gets security-unresponsive companies to get their act together. I mean sure: let them know ahead of time, give them time to patch the software, but what incentive for security is there in a hush-hush, non-disclosure community? There’s no such thing as secure software, but at least in a full-disclosure environment programmers are challenged to write the tightest code they humanly can, something that matters deeply when your code is powering the server rooms of airports, hospitals, and so forth. I’ve not yet heard a convincing argument for anything other than full disclosure, certainly not from the schizophrenic/publicity-happy anti-sec movement.

Does anyone have such an argument? Anyone? Bueller?