Larry Seltzer at eWEEK agrees with me about the blatant disregard security researcher Richard Zalewski demonstrated yesterday when he unilaterally decided to disclose a potentially serious security vulnerability in Internet Explorer without providing the information to Microsoft first. Larry's a better man than me and doesn't go so far as to paint Zalewski as the worst person in the (info security) world like I did but he does conclude:
"I don't know what the "borderline extortion practices" he (Zalewski) refers to are, but there's no conceivable value to the public in him disclosing publicly with no advance notice to the vendor. With a serious bug this is on par with leaving gasoline and matches around and pointing out that there are flammable buildings about.
Zalewski may think he's some sort of hero disclosing this information, but his is the act of a vandal. If it turns out that the bug is exploitable and abused before it's patched, then perhaps he'll be proud to be remembered for that. The best we can hope from it is not changes in Microsoft's behavior, but that his bad example will deter others from doing the same."