The hidden costs of embargoes (Red Hat Security Blog)

Over at the Red Hat Security Blog, Kurt Seifried looks at the costs of security embargoes. Keeping the information about security vulnerabilities quiet until distributions can coordinate their releases of a fix for it seems like it makes a lot of sense, but there are hidden costs to that. "Patch creation with an embargoed issue means only the researcher and upstream participating. The end result of this is often patches that are incomplete and do not fully address the issue. This happened with the Bash Shellshock issue (CVE-2014-6271) where the initial patch, and even subsequent patches, were incomplete resulting in several more CVEs (CVE-2014-6277, CVE-2014-6278, CVE-2014-7169). For a somewhat complete listing of such examples simply search the CVE database for 'because of an incomplete fix for'."