Ethical Vulnerability Disclosure
The debate on whether vulnerabilities should be disclosed to force a vendor to fix the problem in a reasonable period or kept covert until a fix has been implemented has been a big discussion in the Information Security field. Black Hats, White Hats and even Grey Hats have their opinions. I personally have disclosed a vulnerability I discovered to vendor and known others who have as well, too only witness slow responses to rectify the matter to no responses at all.
In an Enterprise IT Planet Staff.com article, one group feels immediate disclosure effects change at a brisker pace (WMF again) and encourages vendors to tighten up their development practices. While other point to the complexity of software today, where yesterday's feature becomes today's liability. They would say that out of respect for users, and the community at large, vendors should be given a chance to make things right.
What do you think?