If you found out you could easily crack a commercial "protection" method, what do you do?
I'd send it off to CERT anonymously. They have good relationships with vendors, who often put out patches CERT presents them with security-related problems. If I saw no response after 6-12 months (about a vendor release cycle), I might start being more public about it. This solution means that the problem has a reasonable chance of getting solved, without causing too much damage in the interim. If I had reason to believe that some security hole was being used heavily and maliciously by someone, I would explain this to CERT and wait a significantly smaller period of time, like a week or two, before going public. This would prevent people from being unknowingly hurt by a bug. It's important not to go too public too quickly, because people have a tendency to panic. When the 1988 Internet Worm was discovered, peoples' reaction was to pull the plug on the net. This was counterproductive, since it made it difficult to tell people how to protect themselves against the Worm. Parts of the MILNET remained disconnected for weeks. Marc