The question is after hearing AT&T prosecute Spitler for discovering such a simple security hole (it could have been a lot more complex) would you feel safe disclosing any security hole even with the best intentions?
The answer is obviously no and if you can't make it public without risking being sent to prison the only option is selling it to some shady spammers.
Which would you prefer happened? From my point of view what they are doing is basically pushing the hackers to the "dark side".
If we disclose it we get arrested if we sell it we might get caught and arrested or make a lot of money. I'll take option 2.
Yes I would, but I'd follow the standard responsible disclosure rules that are fairly common place. As far as the information that's been presented makes out, there was no responsible disclosure. In fact, weev attempted to say they were going down that route whilst at the same time discussing on irc how they could use the information for fairly black hat purposes.
I think the industry basically needs to take the informal responsible disclosure rules and try and get them made a bit more formal, for everyones benefit.
One of the ongoing issues in the security industry is that there is no standardized form of disclosure. There are frameworks that have been put together, but only some companies embrace them. Other companies are openly hostile towards any solution that doesn't leave the power entirely in their own hands. Basically, many large companies feel that the public should remain uninformed, which then leaves the company free to keep producing insecure software.
Which is why I think there should be some attempt at a formal body, the EFF is in the right place to spearhead an attempt at implementing something along those lines.
The answer is obviously no and if you can't make it public without risking being sent to prison the only option is selling it to some shady spammers.
Which would you prefer happened? From my point of view what they are doing is basically pushing the hackers to the "dark side". If we disclose it we get arrested if we sell it we might get caught and arrested or make a lot of money. I'll take option 2.