Independent bug hunters provide "a valuable service," not just to enterprises but to software vendors as well, he said.

"I would ideally like to see a much closer relationship between software vendors and bug hunters, where they are brought into the software development cycle by the vendors in order to improve the security of their applications," Palmer said. One way to do this would to give them access to alpha or beta versions of software "with the express intent" of letting them try to crack the software before public release, he said.

But it is important to give vendors at least 30 days to try and address vulnerabilities before they are reported publicly, said Andrew Plato, president of Anitian Enterprise Security, a security consulting and systems integration firm in Beaverton, Ore. "One of the largest problems with independent vulnerability research is blackmailing and grandstanding," he said.

In the past, this has caused a lot of "misinformation and [fear, uncertainty and doubt] about vulnerabilities," which is what has led to the creation of responsible vulnerability-disclosure practices by groups such as the Organization for Internet Safety, he said.

As long as researchers follow generally accepted vulnerability-reporting practices, they serve an important role, Plato said. "Obscurity is not security," he said. "It's better to know about a bug and get it fixed than to have it hidden."