The researchers who discovered the recent iPad\/AT&T vulnerability are taking some heat from the FBI. This re-opens the Pandora's Box of vulnerability disclosure. Questions on this realm include: Should researchers "go public" with security holes they discover?\u00a0 If so, when? As soon as they're discovered? After they've notified the vendor? After the hole is fixed? or never? What repercussions should researchers face if they go public with a vulnerability that leads to a data breach? What repercussions should the vendor face if a vulnerability they introduce\u00a0leads to a data breach? How accountable can\/should we hold vendors for vulnerabilities in their software or service networks? And in this case, why should a security research firm, who depends on the publication of vulnerabilities for publicity and credibility, be taking any heat for waiting to go public until after the security hole was plugged by the vendor? I don't even know where the line is right now regarding doing the right thing... let alone what color it is -- black, white, or grey. Would love to hear YOUR thoughts on this -- sound off, please!