He dismissed suggestions that vulnerability researchers actually expose enterprises to more risk. "Zero-days are actively being exploited by bad guys," Cerrudo said, pointing to recent flaws in Microsoft Office and Internet Explorer. "Also, if you don't see it, it doesn't mean they are not out there."

Rather than worrying about responsible disclosure practices, vendors should be more concerned about "responsible software development," Cerrudo said. "Vendors are used to researchers playing nice" in terms of how and when a vulnerability is reported. "The situation should change. Research costs thousands of dollars and right now vendors are getting [it for] free."

Similar views were expressed by H.D. Moore, founder of the controversial Metasploit Project, which publicly posts vulnerability information and tool kits for writing attack code against them. "The availability of tools such as the Metasploit Framework allow anyone to learn more about security and the exploit process in general," Moore said in comments via e-mail. He too rebutted the notion that publicly posting vulnerability information and exploit tools only benefits the malicious hacking community. "The Metasploit Project puts the 'good guys' on equal footing with the folks who already have the skill to launch these types of attacks on their own.

"There is a myth that 'responsible disclosure' means always waiting for a vendor to patch a flaw," Moore said. "That fails to account for when not disclosing a flaw is putting more folks at risk than simply posting the details to a mailing list."

The fact is that security flaws are very unlikely to remain undiscovered for long, whether bug hunters go looking for them or not, said Robert Palmer, vice president of IT at Lenox Inc., a Lawrenceville, N.J.-based maker of tableware and giftware.