More on rapid versus responsible disclosure
In my mind the person who discovered this vulnerability and sat on it for two years because Pay Pal did not acknowledge it, is guilty of irresponsible disclosure. The whole point of responsible disclosure is to give the vendor a reasonable time to respond. Two years is way beyond that. However, I think that this example is the exception, rather than the rule. I think for every PayPal example there are 10's, if not 100's of others, where the vendor does respond in a reasonable time.
Another point Martin makes is that responsible disclosure doesn't help against the bad guys, as they know about the vulnerabilities anyway. I think that is propaganda and without proof, I don't buy it. In fact I think instant disclosure helps the bad guy. Michael over at MCWresearch.com (who is a frequent reader of my blog it appears), has written a very well reasoned article on this that shows some real concrete examples of why instant disclosure helps the bad guys more than it helps anyone else. No need for me to repeat what Michael wrote, but read it for yourself. It is very persuasive.
I think the vote is in on this one and responsible disclosure is the right way to go!