I'm writing a paper about IT security, patching holes, and how I've contributed to this scene (under other aliases and this one). I'm putting things such as securityfocus's bugtraq and other mailing lists, contacting vendors directly, website forums, etc., as means that people use to publish their findings (hopefully legitimately). Thing is, I need to come up with a "hierarchy" of sorts. Or, rather, some way to better describe to a layperson how the security and patching world works, in the subject specifically of exploits/holes/bugs and contributions made by seemingly-random Internet users. Anyone have any input?