Rodney recently posted an article on incorrect policies of some companies, where they assume that not telling anyone about their security flaws will somehow protect them.
Such companies can not last very long because they incorrectly assume that they are the only intelligent people in the planet.
Someone with malicious intent can always find out your security flaws without you telling him/her. So it’s crucial to remove those flaws instead of trying to hide them.
On a similar note, I want to tell you to never make assumptions about any bug.
Eg. When I am telling you of a server error that occurs in your website, don’t just ignore it by assuming the scenario I told you about will rarely occur. Users are not 100% predictable. No human is. So, your assumption – that only a tester would get such a server error and users would not – is wrong.
Also, if the “rare” bugs you chose to ignore are a lot in number, there is more probability of a user coming across at least some of them. Each bug a user finds has a cumulative effect on driving the user away from you.
If by chance, a user comes across such an error, he/she will be confused and frustrated, and you might lose your audience to someone else who took the time to fix their bugs.
And you wouldn’t want that, would you?