The hope that no one is willing, or no one is able, to implement an attack is not a security strategy.Src: Time to Take the Theoretical Seriously | SecurityFocus [Tx @ioerror]
Yet, the necessity of demonstrating such attacks before the vulnerabilities are fixed is dangerous, both for Internet users and for researchers. By raising the amount of work required for researchers to get their voices heard it makes it all the more likely attackers will build the tools first.
Chris Wysopal, CTO of Veracode, has an article on the double-edged sword of vulnerability research and disclosure. Here are a few quotes: