Sandi brings up the question of responsible disclosure.
Over in Sandi Hardmeier's blog, I see again that a site was hacked following a public disclosure of an exploit, but prior to the availability of a patch. Sandi says:
This makes me ponder the ongoing argument about "responsible disclosure". Should Gulftech have publicly announced the exploit?
Of course Gulftech should have publicly disclosed the exploit ... after Invision released a patch, and after a majority of Invision's aware customers had a chance to apply it.
If these companies really care about "I was first" bragging rights, they can cryptographically sign and timestamp the document, release the signature when they first have a private document describing the exploit; then they can release the document after the patch, and we can all recognise that their signature matches the description of the exploit, and marvel in how smart they are to have found the exploit before anyone else.
There is one concern here, though - when public disclosure happens, the discloser can throw up their hands and say "it wasn't us that wrote the virus - must have been some member of the public". If the researchers stop public disclosure until after the patch, any pre-patch virus that comes out might cause the researchers to be suspect number one.
I don't think that's a reasonable fear, though, because such researchers would be beyond reproach, compared with researchers who publicly disclose prior to vendor patches, who are quite definitely and deliberately giving the exploit details to virus authors.