MS will get a better insight as to the flaws in their product and how people will exploit them during this one conference than they would in a whole year looking at it themselves. Passing this up would be plain stupid.
I am all for you when it comes to legally going after people who exploit without permission the systems of others (no matter what their supposed motivation). But doing internal security research and then saying 'hey I found out there is this big error in IE7' should never be illegal. I would not go about it quite that way (I would always give the vendor a heads up but if the problem is not addressed I would feel obligated to let the public know)
I am all for you when it comes to legally going after people who exploit without permission the systems of others (no matter what their supposed motivation). I agree, with the exception of our military who may do such things against foreign adversaries, at the time of war or in response to hack attempts made against us.
But doing internal security research and then saying 'hey I found out there is this big error in IE7' should never be illegal. I would not go about it quite that way (I would always give the vendor a heads up but if the problem is not addressed I would feel obligated to let the public know)
Finding the holes shouldn't be illegal, but reporting them publicly without first notifying the vendor, or even worse releasing exploit code prior to the vendor having time to develop a patch, should be.