About six months later, according to defensive filings, McDanel discovered that Tornado had never fixed the vulnerability he discovered. Using the moniker "Secret Squirrel" he sent a single email to about 5600 of Tornado's customers over the course of three days, staggering the release each day to prevent flooding Tornado's email servers.
The email told Tornado's customers about the vulnerability, and directed them to his own website for information about it.
So what did Tornado? First, they scrambled to delete their own customer's emails (without their permission) to prevent them from learning about the vulnerability. Then they took other steps to conceal the hole. Ultimately, the fixed the vulnerability, and upgraded their general security.
For his efforts, McDanel was arrested, tried, convicted and sentenced to 16 months in the federal pokey, which he has now served. He has appealed his conviction to the federal Ninth Circuit Court of Appeals.
If that stands, watch reports to CERT and Bugtraq drop like stones in the pond.