This year we decided to resume the publication of vulnerability details detected during researches and penetration testing.
In 2006, because of a number of reasons, we decided to shift the burden of publishing vulnerability details to software vendors and stop publishing the details about previously detected problems. However, many customers ask us to assist in vulnerability elimination in third-party vendor software. This induces us to resume the process.
The most interesting current problem (in my opinion) is a number of vulnerabilities in VMWare that allows attackers to gain access from guest to host OS. And right to the kernel.
I personally treated different methods to eliminate vulnerabilities in third-party vendor software, from Full-Disclosure extremism to selling vulnerabilities in the “white” market, for example, iDefense (http://labs.idefense.com/vcp/). Some thought are available here: