Security Bugs Vs. Regular Bugs
There has been much debate recently that stems from discussions related to Linux kernel development, over whether or not security vulnerabilities should be treated differently than regular software bugs. This has meant there has been a slight departure from the exhausted “full disclosure” debate, in that some believe that the problem with the disclosure process isn't whether or not it best protects users, but that it unfairly praises those that uncover and fix security issues more than those that fix regular bugs. Personally, I think that there are two important distinctions that are not being made.
Security vs. Availability
Security and availability are two different things and should be treated as such. Some are quick to argue this, pointing out that a denial-of-service attack against a life support system would obviously be a drastic security problem. They would be right—I am not suggesting that the two are mutually exclusive. If we depend on the availability of a system for our security, then yes, it is indeed a security issue. Fortunately, we are a fairly fault-tolerant species and do not depend on the availability of absolutely everything. As an appropriately timed example, the text editor that I am using to write this blog article just crashed, due to a null pointer access. This could have prevented you from reading my blog. While I do hope my posts are at least somewhat interesting or useful, I am fairly certain that no one is going to suffer without them. Someone may suggest that it's also a security problem because I could have, hypothetically, had the cure for cancer typed up and lost it before I could save it. That's just too much of a stretch, and I think the security issue would have been in my poorly designed work process, if anything. But, if my software were to crash at random intervals several times every hour, now that would be quite a nuisance. So why wouldn't I appreciate the efforts of the individual that fixed it? I certainly would, but that's where the other distinction is important.
Priority vs. Value
We have limited resources, limited time, and a limited capacity to digest and respond to information. This creates the necessity for priority. While I do want to know that there is a new version available that will alleviate the need to save after every sentence, there isn't an imperative need for me to know right now. There is no window of attack involved. When it's a security issue, there is an attack window, and I do need to know about that immediately so that it can be minimized. This is why we have security advisories, and why regular bug information is not disseminated in the same manner. Much like availability isn't necessarily related to security, priority is not necessarily related to value. By making the decision to refrain from explicit notification of security-related fixes, you are compromising everyone that necessarily relies on that information in order to prioritize acting upon it according to their circumstances. Those that have the time to immediately download the changelog and attempt to evaluate whether or not every individual change poses a security risk will be fine, but realistically, that is no one. The rest of us really appreciate this courtesy.