[tptacek]

I would personally disclose RCE in Windows, not least because I think Microsoft does a better-than-average job in dealing with the research community.

But I need to be careful saying things like that, because it is very easy for me to say that, because I don't spend any time looking for those kinds of flaws. Security research is pretty specialized now, and I don't do spare-time Windows work. I might feel differently if I did.

I would not judge the (many) researchers who would not necessarily disclose that flaw immediately.