While Google and MS are bashing each other over whether we should have a responsible/coordinated/full disclosure policy, it seems were might be heading to 'no disclosure.'

RSnake (Robert Hansen) predicts that since the industry is certainly not encouraging enough and often offensive against the disclosing party, the security researcher will probably go for more profitable options (such as selling vulnerabilities to black hats) or abandoning this field of research – either of which is not a desired outcome from a security perspective.

We can already see that attitude from Arcos, a security firm, with a the recent code-execution bug in Windows apps quoted in :

http://blog.rapid7.com/?p=5325

“I don’t know if you saw the draft of our new commercial disclosure policy, but we essentialy gave up on alerting vendors for free. We’ve been providing free research to them for over 10 years and it hasn’t paid out well. What you’re seeing on Bugtraq now are the “remains of the old days,” so to speak :-) We’ve found better markets for this kind of information. To answer your specific question: no, we have not reported any issues in the products you mentioned – and have no intention to, should we come across one."  [Emphasis ours].