I would like to maintain credit for finding it, as well. I don't want to "hand it over" somewhere only to have my name stripped from it.

it would be better if you could send it to the vendor only and wait for their responce , M$
usually responds really fast and they will tell you if they are intrested or not,
then they will ask you to wait for some time so they can do some research ,most people
including me do not like waiting for one or two weeks and they would post it to bugtraq or
fulldis , if you can not wait for two or three weeks send it to [email protected] they would open a new bid if it is really a vulnerability and then they would ask you if they can add the exploit to their database or not this is real good because you can protect the users by asking sf not to release the exploit . I have workd with securityfocus.com on three or four vuls and i would recommend them in case you want to release it to the public.
here is a list of some comp/orgs you can send your vuln to:

comp/org....................................... contanct info

http://[email protected]
http://[email protected]
http://www.securityfocus.com...........urityfocus.com
http://www.securitytracker.com.........itytracker.com
http://[email protected]


..