I believe that one of the most important places to contact would be the Computer Security Resource Center (CSRC), at the National Institute of Science and Technology. (http://csrc.nist.gov/) Another place might be the National Center for Digital Intrusion Response, http://ncdir.us/.

If there were a governmental disclosure program in place -- and more importantly, a law shielding those who responsibly reported newly-discovered flaws, as well as a hefty fine levied against infrastructure providers (financial, technological, or transportation) that would be 90% passed on to the reporter -- it would provide an incentive to avoid selling these things on the black or gray markets.

[ reply ]

Link to this comment: http://www.securityfocus.com/comments/columns/495/35416#35416