I resisted the temptation last week but this article sent me over the edge
Desautels said he stands by the decision.
First the exploit will motivate people to patch by giving them a way to test their systems against the vulnerability, he said. Second, it will encourage SCADA software developers to write more secure code.
"I think releasing the exploit code was actually necessary," he said. "He's actually doing a free service. I would believe Kevin has actually reduced risk."
This is 2008 right? Spare us your simplistic 1998 BUGTRAQ arguments. Please. You can't be serious. This, like most vulnerability disclosures are all about the marketing and rattling the cages. There is nothing richer than consultant/researchers that have not clue about designing, developing, shipping, and supporting products spouting application security cliches that are easier said than done: "add security to your development process", "get rid of stack based overflows," "do security testing before your release."
The CORE disclosure was handled professionally, but this is amateur hour. But you knew that if you follow SCADASEC or read Kevin's adolescent rant.
And actually that was my key problem with the release. Not what was released, but how it was released. All the posturing. Listing all the impacted sites and end users? All the little sarcastic comments and the NRA-inspired rhetoric.
Release the exploit, fine. Not a bad thing. But spare us the bullshit, it just undermines your credibility.