See this is what I don't agree with. Using a vulnerability to induce action is one thing, and a very important purpose, especially when nothing is being done. Once all has been done that is going to be done however there is no further net positive gain in releasing specifics of the exploit beyond what is vulnerable.
I don't find it perfectly reasonably to assume every hacker will figure it out. Some may, but that doesn't justify dropping the information into the hands of those who wouldn't have but can still leverage it for negative uses.
It's like if I discovered the locks on all BMWs can be popped remotely with a simple code. I tell BMW, and they promptly work to fix it in all cars still under warranty. Kudo's to them. Do I then take out a front page ad in the New York Times and say "Hey, just so you know, all old Beemers can be opened easy as pie like this." and call that action justified? And to note, there is a difference between raising awareness by saying "Hey Beemer owners, your older cars have a security problem... you should consider upgrading because you're vulnerable"... and standing on a street corner handing out instructions for grand theft auto. One is raising awareness... the other is explicitly putting at risk owners who might not be able to afford a new car right now... or who might be locked into a cellular contract on old hardware.
Well, I'm sure we can argue all day about whether there's a net positive gain, but the gain is clear: By committing to make security issues public, you're giving manufacturers a reason to continue support for products that they sell, so that they may be less likely to engage in the irresponsible behavior that we're discussing right here.
I don't find it perfectly reasonably to assume every hacker will figure it out. Some may, but that doesn't justify dropping the information into the hands of those who wouldn't have but can still leverage it for negative uses.
It's like if I discovered the locks on all BMWs can be popped remotely with a simple code. I tell BMW, and they promptly work to fix it in all cars still under warranty. Kudo's to them. Do I then take out a front page ad in the New York Times and say "Hey, just so you know, all old Beemers can be opened easy as pie like this." and call that action justified? And to note, there is a difference between raising awareness by saying "Hey Beemer owners, your older cars have a security problem... you should consider upgrading because you're vulnerable"... and standing on a street corner handing out instructions for grand theft auto. One is raising awareness... the other is explicitly putting at risk owners who might not be able to afford a new car right now... or who might be locked into a cellular contract on old hardware.