Pre-eminent bugfinder Charlie Miller mentioned an interesting approach to disclosure after he compromised another Apple system – demonstrate the attack, describe how the vulnerability was found, and let the chips fall where they may. (Actually, I think his “teach a man to fish” approach might have been ancillary to the pwn2own contest…)
At this stage of the game, this might be an interesting approach to disclosure (I guess this is sort of like the video approach that Dave Maynor did a few years back…). I am not completely sold, since I am not clear on how much this approach would lower the attacker’s cost.
This contrasts with Tavis Ormandy’s disclosure of the Java Web Start vulnerability which was simply a debacle of disclosure.