Within six hours after that proof of concept was posted on the web, cybercriminals had updated exploit kits, including the popular Blackhole, in order to infect vulnerable computers with malware.

Tod Beardsley, a bug testing engineering manager for Rapid7, said the company was justified in going public with the flaws, because cybercriminals were already exploiting them.

"I certainly don't think that we would have seen a patch from Oracle on Thursday if we had kept it under wraps," Beardsley said. "It was already exploited out there, so I don't think we ran afoul of any disclosure stuff."

In general, security researchers do not reveal unexploited vulnerabilities until after notifying the software vendor and giving it time to fix them. "Once its out in the wild, the cat's out of the bag at that point," Beardsley said.

Wisniewski was not comfortable with Rapid7's handling of the disclosure, saying, "I'm really torn." Because the number of hacker-devised exploits is so widespread now, many more people will be vulnerable. Rapid7's own estimates are that roughly a third of Java users fail to remain up to date on patches.