There's a great post by Pete Lindstrom over at Spire today about Michal Zalewski and his recent disclosure of a zero-day IE vulnerability without notification to Microsoft. Pete takes the "devils advocate" position by saying that Zalewski's actions are pretty much OK in Pete's view:
Here's the interesting thing about Zalewski's approach: if it inspires a lot of "shock and awe" in you, then you are nowhere near able to protect your environment in a reasonable manner. The fact that he didn't provide enough time for a little song and dance before publishing is pretty much what I'd expect from an attacker, too...
True enough. Anyway, I highly recommend giving this post a read. Just for the record, I don't share his opinion about the evils of "white hats": it seems to me that bugs will always be present in software. White hats find those bugs and ultimately they get fixed; of course they do it because they are incented - either by the press or (more recently) for monetary remuneration. As communism taught us, people are less likely to do things without some kind of benefit to them (i.e. "greed is good".) It seems to me that the current "de facto" process ("flawed though it may be") does lead to bugs getting fixed - and I think that's a good thing.