Counting browser bugs to satisfy all

Symantec’s vulnerability reporting was caught in a quandry – report the bugs that browser vendors (in this case, Microsoft and Mozilla) acknowledge, or tell the world about every needed “tweak” a security researcher finds as well. Instead, the company has agreed to report both.

That whole “if a bug pops up in the woods and nobody hears about it, is it still a bug” question seems to be covered here. But some interesting questions remain. Where does the value of discovering vulnerabilities really lie? Is it in finding the problem, independently, so it can be brought to the attention of the vendor? Is it in fixing the problem once it is found, or even recognized? Or, is the reporting of issues by third-parties detrimental to the whole system, giving malcreants time to test and exploit vulnerabilities prior to them being acknowledged and repaired?