Anyone who has an unknown vulnerability can make plenty of money exploiting it themselves. Disclosure of vulnerabilities are released for other reasons all the time:
Daily flaws ratchet up disclosure debate
As the creator of the Metasploit Project, an open-source tool for automating the exploitation of vulnerabilities, Moore has had his share of contentious debates with other security professionals. However, his latest endeavor--releasing a browser bug every day during the month of July--has raised hackles on both sides of the security equation, among the black-hat as well as white-hat researchers.
After the first week of flaws were released, one online miscreant from Russia shot off an e-mail to Moore, complaining that he had outed a vulnerability the Russian had been exploiting, Moore said…
Patch cycles allow IT departments to easily handle updating and testing. Microsoft understands this. Microsoft has been incredibly aggressive with patching over the last three years, yet people still complain. Prior to the monthly patch cycle you got updates whenever.
Q&A: Microsoft exec defends monthly patch cycle
[b]Q: This is not the first time that an exploit has become available for an unpatched Microsoft vulnerability. Is it causing you to review your patch-release cycle?[/b]
A: We don’t want to release an inferior-quality product. We always have to balance the timeliness of the patch with what the current threat is to the customer base. I don’t think we want to change that balance. If the threat level becomes severe enough, we will release something out of that. But we try to limit our out-of-band [releases] because what our customers have asked us to do is to be predictable.
In this particular scenario, you should know we are not happy with the process this went through. We have an outreach program for vulnerability finders. We work very hard to do responsible vulnerability disclosure, and by somebody not reporting this to the vendor, it is the customers who are paying the price.
[b]Q: Is a monthly patch-release cycle good enough any longer?[/b]
A: We are always evaluating what the right cycle is. So far, the customer feedback has been to stay on this one-month cycle and to monitor how many of these out-of-bands we actually have to do. The last one was in January, and the previous one, I think, was 22 months before that. So if you really look at it in the overall context, it has been a pretty limited number.
We just did a CSO summit in February, and we thought people would be concerned about there being a third-party solution [for the Windows Metafile flaw] We asked if Microsoft should have [released a patch] sooner. And they said, “absolutely not, you chose absolutely the right thing to do.”
IT departments need flawless patches not quick fixes. Any competent department can easily work around just about anything.