Ed Finkler (of CERIAS) just pointed me to a blog post made by one of his colleagues about reporting vulnerabilities.
The post discusses the risks associated with reporting vulnerabilities, and the conclusions drawn are disappointing but understandable. It's worth a read, and it relates slightly to a discussion Paul Jones and I had last year.
I've seen my share of irresponsible disclosure (and publicity), but it's sad that a basic risk analysis dissuades well-intentioned people from doing the right thing.
Note: You can Digg it.