First off, I'd like to share my own opinion on the issue. I feel that right now there is alot of paranoia in the world about computers and computer security. As a result, there is also alot of paranoia and misinformation out there. Even in the industry amongst competent people the same problems exist - paranoid and misinformation, although to a lesser extent. People are afraid to advance their knowledge of systems and network security because they fear that they will become the suspect in the next (inevitable) compromise of security. I believe that, like myself, many people who read Kuro5hin have seen flawed security setups during normal use of the system, and would fix it and/or report it, if not for the personal risk to themself.
In a previous article, I outlined a somewhat different approach of using government intervention to help secure critical parts of the network. While that may very well be a viable option, I have another one as well - a private organization which would have no ties to the government.
This organization would have contact database for a variety of ISPs as well as be able to verify vulnerabilities as they are reported by people who know what to look for. Any such test would, of course, be logged for legal purposes. These individuals would contact the appropriate people, informing them both of the problem, and a solution (if available). Anonymity of the person reporting the vulnerability would be assured both by policy and by safeguards built into the reporting system. Although based on trust, it would be expected that the reporter would keep this information to his/herself for a few weeks while the issue is addressed.
Reputation would be critically important to such an organization, as well as having several lawyers on tap to deal with the frequent oblivious and beligerant administrators (and law enforcement!). The opportunity to fix their systems on their own would, of course, be made available to them. In any event, a database would be publicly accessible noting vulnerabilities which have been discovered, and the current status of them. To keep script kiddie activity to a minimum, only organizations which have refused to acknowledge or fix a problem would be listed in the database - this is so that the person making the initial report could obtain a status update without revealing his/her identity.
I believe that an organization which could rapidly respond to these problems and ensure an anonymous reporting system would be invaluable, and provided such an organization could maintain good standing in the security community and not engage in "black hat" activity, I suspect law enforcement would be willing to work with them, or atleast give them some slack, in dealing with and responding to possible situations before they become front page news. Similar to "crime hotlines", this would act as a computer security hotline. Maybe at some point a reward might be offered for people locating vulnerabilities in critical systems, who knows?
There is ample evidence to suggest that this is workable from a legal angle. Again, looking at "crime hotlines" run by private organizations, these places obviously have been able to maintain anonymity of the reporter. Some less stellar uses of hotlines have also been used. In addition to this, organizations like Dance Safe have showed up as well. In brief, they offer to test ecstacy drugs that you may get at many raves to see if any impurities have been added - as such things can pose a health risk. Law enforcement in many areas have been receptive to this, preferring to "go easy" on ecstacy users in exchange for lowering the number of hospitalizations - an equitable tradeoff, I think.
Conclusion: I think a private organization with a good reputation would be able to help secure these problems, bring attention to a major issue, and do so without having people take personal risks, thus improving both the number and substance of reports made about security vulnerabilities in the wild.