Should security experts alert us to exploits?

Recently David Lychfield posted that the recent slammer worm that affected MS SQL servers was his code. He posted the code to show the exploit. He now wonders if this was a good idea, because someone used this knowledge to create Slammer. “What if someone died because of this?” was a question raised.

Sure, posting exploits could cause problems, however, what if the exploit had not been posted? Well then MS might not have created a patch. Then when someone *did* find the hole, instead of having an 8 month old solution (and well tested), we might be at ground zero, waiting *weeks* for MS to fix the problem.

In this scenario, maybe many people would have died before the patch was available. I think it is wrong to live in fear, a philosophy for life in general. Let’s post the problems, make the suppliers fix the problems, then the onus is on the user to keep their systems up to date.