I gotta admit that any time I see "OMG! I found this hack! But I'm not going to tell anyone about it because you're all pansies!", I take it with a grain of salt. Sort of like those "Security sites" that republish each other's warnings over and over again but never point out that the issue had been fixed 10 releases ago.
I know when I see them about once a week on the Wp.com forums, it's usually either a hoax or the poster is freaking out over why their picture didn't upload.
Not saying anything about Dave as I don't know him personally nor do I read his site and pleased don't think I'm taking what he says lightly. But, if it's true, and if staff has been made aware of it, why do we have folks trying to push back the 2.0.4 release on wp-hackers currently in light of the "needed" security fix?