>You are making a big assumption, Mike. Namely, that knowledge of the hole is limited. The only situation your scenerio applies to is when a researcher discovers a hole while examinging code and no evidence for the exploit of that hole exist in the wild. Such is RARELY the case.

If this isn't the case, MS would already know about it, and Oy Online Solutions woudln't have a leg to even stand on and there would be no use discussing it at all. Sounds like its the case here. If it isn't, why would MS be so frightened of them publishing the exploit when it already exists?

I'll take a look at your article, it looks worhtwhile, but I don't have time at the moment. But either way, secrecy vrs full disclosure is irrelevant in determining if a company (MS or Oy Online Solutions) behaived irresponsilby here. That's what we were talking about.