>>Mike, you should know that skilled crackers have excellent communication networks and will exchange newly discovered exploits among themselves at the speed of the net regardless if they are reported by anyone or not.
>
>Whats your point?

Surely you jest...

>
>If the explitation details and code is withheld until the patches are avilable, there is a small chance that someone may get cracked data, but the probablity of a huge virus situation happening in the mean time is cut down hugely.

You are making a big assumption, Mike. Namely, that knowledge of the hole is limited. The only situation your scenerio applies to is when a researcher discovers a hole while examinging code and no evidence for the exploit of that hole exist in the wild. Such is RARELY the case.

It is because of exploitations that the vast majority of holes are discovered, and usualy only when they reach the "Script kiddie" stage, when exploit tools are passed around, and inept SK's don't use the tools well enough to cover their tracks. Keeping secret the knowledge of holes the SKs are pouring into only hurts the consumer. The vendor has no financial liability because of their EULAs and disclaimers, which is one reason why Scott Culp and Microsoft have not done a 'Mia Culpa". Their only risk is that the consumer will seek software solutions from other sources, and they will lose revenue. The consumer, on the other hand, is at much greater risk because they have fewer financial resources than MS and cannot abosrb losses as easily.

No need to start another debate. Bruce Schneier pretty well sums up both sides in his article at:

http://www.zdnet.com/zdnn/stories/comment/0,5859,2824251,00.html

Jerry