I can honestly say that I am a huge advocate of full disclosure. As long as the bad guys are willing to share the vulnerabilities they know about with us, I think we should share as well. Ooops, that’s not how it works, now, is it?
All kidding aside, what on earth makes people believe that "Full disclosure is the only thing that forces vendors to fix security problems." ? Here’s a thought exercise: which would be more damaging to a software maker’s reputation – 1) a fully disclosed vulnerability amidst the pomp-and-circumstance self-congratulatory event like Microsoft Tuesday; or 2) a brutal, no-holds-barred slapdown of an O.S. compromise found in the wild and culminating in a loss of hundreds of millions of dollars? The answer is self-evident.
Now, lest anyone start screaming about my insensitivity and acting as if they care about that latter scenario (though there is ample evidence that they don’t), let me be clear about it: There is nothing we are doing today that precludes it.