What about the notion that the bad guys are simply reverse-engineering patches to exploit holes that would have remained hidden if the researchers hadn't disclosed the flaws? That is ridiculous, and history has proven otherwise. The tools to quickly reverse-engineer a patch haven't existed for more than a few years, and the bad guys were just as capable of finding and exploiting bugs at that time.

What's your opinion on responsible vulnerability disclosure? There is a myth that "responsible disclosure" means always waiting for a vendor to patch a flaw. That fails to account for when not disclosing a flaw is putting more folks at risk than simply posting the details to a mailing list. I have been reporting vulnerabilities to vendors for nearly 10 years and still believe that forcing a vendor's hand by releasing early is the responsible thing to do under the right conditions.

What is the correct way to report flaws in software products? In other words, how much time should vendors be given to respond to such disclosures? Is full disclosure necessary in all cases? It depends on the vendor, how fast they respond and whether I am the only one that knows about a given vulnerability.