I believe that the best approach to handling security issues is responsible disclosure. The process is pretty simple:
- I find a bug/security issue;
- I write a proof of concept exploit for it;
- I report it to the vendor, demonstrating that it is a real security risk;
- The vendor fixes it and releases an update for it;
- We agree with the vendor on a reasonable full disclosure time;
- I publish the article about the issue with the proof of concept code.
This process has a couple of advantages. First of all, it ensures that the issue will be public sooner or later, and after that end users will usually update. Secondly, the vendor has enough time to fix the issue, it does not have to do it in a hurry, potentially introducing new bugs or not properly fixing it.
I don't think that silently patching a security related issue is the solution. By silently, I mean that the vendor does not even disclose that there where security related issues, which were fixed in a newer release. I think that it is important to let users know that they should update, because if they don't, they might get exposed.
Given that this whole process can sometimes take weeks, there is a possibility that other people find the same vulnerability. In order to be able to take credit for a particular issue, I will post the MD5 hash of a file describing the issue. The MD5 hash will also be published on Pastebin and Twitter to get a time stamp too.