The full-disclosure debate is a polarizing one. However, no one can argue that disclosing a vulnerability publicly often results in a patch - and we just proved it again. In March we found the problem and reported it, and nothing was done. In August we posted the problem to FD, Bugtraq, and InformIT - and several days later a patch appears. Coincidence? I think not...
Earlier this year, I was introduced to EZPhotoSales, a web application you could buy to manage your online photogallery and sales. After looking at it for a bit, I realized the software was rather insecure. So, I contacted the company and informed them of the many bugs, to which they replied, "
Unfortunately EZPhotoSales has a number of flaws..." and basically said they were working on a new product and were going to let the old one alone due to time constraints. That was in March.
So, it comes August and the problem still isn't fixed, the new product still isn't out, and more people are exposing themselves and their hosts to potential attack. In addition, I found the software was a good example of a lot of things that go wrong when developing software, so I went public
Guess what happened - a patch was released
Would this have happened otherwise? I doubt it. In my mind, this is just another example of why full-disclosure does work.