Dermot, which specific exploits are you referring to? I generally will only report vulnerabilities and privacy issues if they've become public or are close to being public, but there are exceptions of course (such as severe/critical ones I know about or have found myself). Unlike Dazza, I don't share exploits for 'fame' or so people can abuse them to have "fun", eventually leading to them being patched. I believe it's the wrong way to go about it, however, there have been a few cases in the past where I have done this (WAP Mobile single packet server-side boots, etc).

I believe in both full and partial disclosure, but only after the vendor (in this case Yahoo! Inc.) has been contacted first. If they're willing to work quickly to patch severe and critical vulnerabilities then I don't need to make them public. Some of the ones I've publicly released over the years have taken no longer than 24-48 hours to patch. Other people's exploits, some having been widely abused for long periods of time, can take months for Yahoo! to notice and patch.