Exactly; as I said, "disclosing a fact without a reasonable wait" which is fair and ethical in the security world. I'm all for full disclosure, but give the affected parties time to clean up the mess and get PR ready.
After berating one of the "d00ds" involved on Twitter, it looks to me like he told his friend how to exploit the problem, and his friend (or his friend's friend) made the site and exploited the hole.
If I show someone how to break into your house, and that person tells someone else "hey, nbpoole's house is open, let me show you," and your house gets broken into am I completely innocent of the crime? Security knowledge is the kind of knowledge that gets things broken into, so security people need necessarily be cautious with who they tell about security problems.
FYI, when I found about an open ASP.NET padding oracle at Subway.com, all I did was to run PadBuster to exploit it without damaging the servers in any other way. Eventually I reported it to feedback@subway.com, and only after a week of no response only then I finally posted it to reddit:
http://www.reddit.com/r/netsec/comments/g9crj/open_aspnet_pa...
After berating one of the "d00ds" involved on Twitter, it looks to me like he told his friend how to exploit the problem, and his friend (or his friend's friend) made the site and exploited the hole.
If I show someone how to break into your house, and that person tells someone else "hey, nbpoole's house is open, let me show you," and your house gets broken into am I completely innocent of the crime? Security knowledge is the kind of knowledge that gets things broken into, so security people need necessarily be cautious with who they tell about security problems.