Got this from here: http://news.com.com/2100-1012-948310.html?tag=fd_top

By Robert Lemos
Staff Writer, CNET News.com
August 4, 2002, 12:05 PM PT

LAS VEGAS--Security researchers and hackers who find vulnerabilities need to realize that discretion is more important than valor, several federal security experts said at the Defcon hacking conference here this weekend.

Additionally, federal officials also said they would use the government's massive purchasing power to force developers to improve the security of their products.

While acknowledging that software makers continue to release buggy products, Richard Schaeffer, deputy director of the National Security Agency, stressed that publicizing a vulnerability without warning and before a patch has been created could potentially threaten U.S. computing systems.

Click Here to go to IBM!

"Responsible disclosure means not letting out information that could do harm to critical systems falling into the wrong hands," he said.

Schaeffer's comments echoed those of presidential cybersecurity adviser Richard Clarke, who spoke last week at the Black Hat Security Briefings here. Clarke told attendees that finding vulnerabilities in buggy software is important, but properly handling the disclosure is critical.

As Clarke did, Schaeffer also blasted the software industry for the large number of bugs in their applications. "The quality of the software that we are getting is terrible," he said.

Marcus Sachs, a member of Clarke's 16-person Office of Cyberspace Security, warned that the government will use its checkbook to ensure software makers improve their products.

"We, the federal government, have enormous purchasing power," he said. By demanding more secure software, the government can directly affect the quality of product, he added.

The debate over disclosing vulnerabilities has heated up as software security has become a high priority in government and industry. Security researchers who find vulnerabilities often use the information as a way to embarrass companies and score public relations points for their own firms. Conversely, software makers frequently fail to find or disclose problems in a timely manner.

Last week, for example, Hewlett-Packard threatened a security researcher with a lawsuit for releasing information about a flaw in Tru64, the company's high-end server software. HP backed off on Friday.

While he didn't support such tactics, Sachs underscored the seriousness of releasing vulnerability information before a patch has been created.

"Microsoft is widely used in the critical infrastructure--more than we thought," Sachs said, stressing that publicized flaws that have not been corrected could damage government systems.

"The time (to deal with this) is now," he said. "We are past the point where we can keep talking about it."
I think the feds are forgetting that they need Microsoft more than Microsoft needs them. Anyways this got me thinking about how software vulnerabilities should be released. So my question is if you discovered a major security hole how would you release it? Would you even tell anyone at all?