>I would be extremely surprised if anyone answered other than full disclosure.

Consider yourself surprised :-)

FWIW, we write software that alot of people used. If someone reported a bug to us that said one of our calculations was off, thats something we want to fix, not something we want to be critized for.

If there is a security bug in IIS, if I were MS, I'd rather fix the bug and release patch instead of creating a Code Red scenario every 2 weeks. And, as a user of Windows and IIS, I'm glad we don't have a code red every two weeks.