DDOS Attack Victim - How much to Admit?

Be honest. A DDoS attack is likely to be beyond your control (or at least beyond your ability to predict).

If it is a DoS caused by a bug in your code (or by someone exploiting a bug in your code specifically to create a DoS) then things get more difficult as there is blame that could be sent your way, but for a DDoS that is genuinely beyond your control then honest is definitely the best policy.

If your users want an uptime policy that states "won't down down for longer then X in Y or for any period longer than Z for any reason" then they need to be paying you for a service level agreement that states those rules rather than living on a gentlemen's agreement.

IMHO, be straight forward with them. Explain to them what you believe to be the cause of the outage. Explain what you're doing to analyze\verify the cause of the outage and what you'll do to try to prevent it in the future. Even the largest, most technically savvy entities have problems: Microsoft mucking up their DNS, TechCrunch getting hit with a DDOS attack, Facebook accounts being defaced, the Washington Post letting their domain name expire, etc., etc.

If you've performed due dilligence in securing your site\assets then that's all a customer can ask of you as far as I'm concerned. IMHO, honesty and straight talk are the best policy.

I've always been in favor of maximum transparency. I was impressed by FogCreek's openness in their reporting of an unplanned outage of their hosted FogBugz service a couple of years ago. They didn't have to tell us any of that stuff, but honesty builds trust.

Tell them the truth, and divulge as much as you feel they need to know, without getting too technical.

Sorry if this sounds harsh I would tell them that there was a general network problem and get on with fixing the problem rather than asking ethics questions on here - that stuff can come later once the problem's fixed.

My company operates on several "core values", and one of them is "Bad News First - No Surprises." IMO, tell them it was a DDOS, as much as you can without being overly technical.

Everyone wants honesty, and to be spoken to like a mature adult.

However, there are no mature adults. If customers learn that your site went down due to a DDOS attack, and you explained very clearly to them what you did to remedy the situation, they'll thank you for being straight forward with them and then they'll start looking for a vendor who hasn't done whatever it takes to be a target of DDOS attacks.

Now I know that you did nothing to deserve an attack, and so do you. These things happen. Your customers probably know it too. But some guy at some company who made the decision to spend money on you is now in the predicament of having to explain to his superior why he made such a bad decision.

Observe:

Statement 1: "Sorry I'm late, I had some car trouble."

Statement 2: "Sorry I'm late, somebody slashed my tires."

Which one of these statements do you want to hear from a person you're giving your money to? This is why corporations never tell the whole truth even though we demand they do.

Tell them you had a big network outage and that you really worked your butt off to get it worked out. This is what happened, and it's easy for anyone to understand, regardless of technical prowess. I'm not recommending that you lie. Just don't offer too many details unless you're pressed to do so.

(note: if you had been hacked and user data was at risk, that's when I would switch over to a more up-front tell-all policy)