Very interesting debate, it's the first time I'm noticing that opensource devoted people agree with the meaning of Microsoft: http://www.heise.de/newsticker/data/lab-18.10.01-000/

I think that's taking it a bit too far. There is a little agreement between a part of the open source community and Microsoft that information on security vulnerabilities need not necessarily fulfil their maximum blessing when revealed to the general public the very moment they're discovered. However, from what I remember of the MS article, Microsoft would rather have people never release vulnerability information as long as there's no vendor fix *and* a method of deployment to almost all 'customers'. That, of course, shows the direction MS wants to take and it's exactly what full disclosure is set to prevent: vendors keeping vulnerabilities secret, not doing anything about them and denying their existence until it is proven otherwise. This is very much different from 'responsible' conduct with security vulnerability information. See Bruce Schneier's good article from last September on the window of exposure and full disclosure at: http://www.counterpane.com/crypto-gram-0009.html#1. Cheers, Tobias