>>You are making a big assumption, Mike. Namely, that knowledge of the hole is limited. The only situation your scenerio applies to is when a researcher discovers a hole while examinging code and no evidence for the exploit of that hole exist in the wild. Such is RARELY the case.
>
>If this isn't the case, MS would already know about it, and Oy Online Solutions woudln't have a leg to even stand on and there would be no use discussing it at all. Sounds like its the case here. If it isn't, why would MS be so frightened of them publishing the exploit when it already exists?
>
>I'll take a look at your article, it looks worhtwhile, but I don't have time at the moment. But either way, secrecy vs full disclosure is irrelevant in determining if a company (MS or Oy Online Solutions) behaived irresponsilby here. That's what we were talking about.

Your premise, in bold above, is what I disagree with, Mike.

We seem to have differing definitions for the words "irrelevant" and "irresponsible".

I define "irrelevant" in terms of the consumer's right to know as quickly as possible about security holes that already exist in their systems that put them at risk for or have already resulted in their being compromised. It is not 'irrelevant' to them as to when they learn about discovered security holes.

It is not 'irresponsible' for either individuals or companies to make public the discovery of such holes as soon as they can, because this is how things have been for the last 10 years. It is 'irresponsible' for vendors to conceal, deny or SPIN away revealed holes. The article explains why in terms that could be compared to a mathematical theorem.

Catchya later,
Jerry