Originally posted here by TheSpecialist
*Tisk *Tisk... I would recommend contacting the vendor yourself first. And if needed I would also send in a report with dissassembled portions of code showing the vulnerable input streams in their software... then simply & quickly explain why this is a problem before actually sending in an actual exploit first. I would only take the advice quoted above as a last ditch effort to be heard.
BUT you did not fully quote me . Because I did mention contacting the vendor initially, I know most exploiters do that [of course it all depends on what colours they wear]. But in case he is seriously scared about releasing the exploit to MS due to legal reasons he could use the SecurityFocus option. I'm not sure whether SF releases the info right away or if they forward it to the vendor [the site is owned by Symantec so I'm pretty sure they're not eager to get in any legal issues with MS].

Anyway if you indeed discovered some serious flaw in SP2, allow me to congratulate you!