Board Thread:Bug Reports/@comment-25565811-20170120120301/@comment-25101690-20170204162509

Campinator wrote: Sorry as a non-server person, this could seem like a rather obvious question, but why is there such secrecy in discussing bugs? If the matter truly is a problem, wouldn't any exploits be worked on? Again, hope this isn't bordering on the redundant.

You can find an in-depth answer here, although it's about hackers and security vulnerabilities:

t0: The vulnerability is discovered. t1a: A security patch is published (e.g., by the software vendor). t1b: An exploit becomes active. t2: Most vulnerable systems have applied the patch.

For normal vulnerabilities we have that t1b - t1a > 0. This implies that the software vendor was aware of vulnerability (at time t ≥ t0) and had time to publish a security patch (t1a) before any hacker could craft a workable exploit (t1b). For zero-day exploits, we have that t1b - t1a ≤ 0 so that the exploit became active before a patch was made available.

By not disclosing known vulnerabilities, a software vendor hopes to reach t2 before t1b is reached, thus avoiding any exploits. However, the vendor has no guarantees that hackers will not find vulnerabilities on their own. Furthermore, security patches can be analysed to reveal the underlying vulnerabilities and automatically generate working exploits,[8] thus we will always have t0 <= t1a and to <= t1b.