It seems to me that the more computer security issues come to the
forefront (both literally in terms of the number of breaches as well as
the amount of media coverage), that a software company's security
'posture' could become a marketing advantage. By posture, I mean the
company's outward stance and expressions of how it handles security
related issues. (Hopefully backed up by its actions...) I'm thinking of
Application Service Provider types of companies mainly, but the same
could apply to anyone who even temporarily holds onto someone elses data.

If I can convince a potential customer that my system is more secure
than average, or better than a competitor, then other things being
equal, more people should choose my system. To that end, I would want to
make as much as possible, of my security policy public. The problem of
course is that I also need to avoid exposing vulnerabilities, even
indirectly.

I've tried looking around for other examples of public policies, but I'm
not getting anywhere fast. It seems that everyone keeps as tight a lock
on this information as possible and balks at the suggestion of making
any of it public. I'm not a security expert, but I do know enough to be
sure that there is no harm in making some information that is contained
in a security policy public. Does anyone know of any guidelines for
which aspects can and can't be made public? Also, does anyone have any
recommendations about how to best structure a security policy (public or
private)?

Thanks in advance

--
Shane