You too would have been wrong. Here's what Mozilla says about the same issue:
IMPORTANT: Anyone who believes they have found a Mozilla-related security vulnerability can and should report it by sending email to the address security@mozilla.org. For more information read the rest of this document.
Here's what Google says about it:
If you believe you have discovered a vulnerability in a Google product or have a security incident to report, email security@google.com.
Here's what Apple says about it:
To report security issues that affect Apple products, please contact: product-security@apple.com
Here's what Cisco says (they even provide a toll-free phone number!):
Individuals or organizations that are experiencing a product security issue are strongly encouraged to contact the Cisco PSIRT. Cisco welcomes reports from independent researchers, industry organizations, other vendors, customers, and any other sources concerned with product or network security. Please contact the Cisco PSIRT directly using one of the following methods
You can Google for virtually any major vendor, in the form [report XXX security vulnerability], and get instructions on how to report flaws to them.
Posting flaws to public bug tracking systems is just about the worst conceivable way to do it. Public bug trackers are not always (or even usually) monitored by product security teams. As a result, for many vendors, you can find vulnerabilities in their bug trackers they don't even know about, and nobody else does either, because they were reported to a black hole. You're actually better off writing an angry blog post than putting in the public bug tracker.
I've reported a bug or multiple bugs to all of those guys, and for the record, Microsoft has been by far the most proactive and aggressive at wanting to get the details to their researchers the fastest.
Ok I'll great you the fact that for security issues trying to contact them privately is probably their preference. But in this case where talking about a bug that causes a machine crash. I don't know but does that even constitute a security flaw? This is more a major software flaw then a security bug. If all bug that makes browsers crash were sent to that security report email, they would be overwhelmed quickly. If it could be used to exploit the machine I'd be with you and would suggest that the bug be reported through the vendors security channel.
IMPORTANT: Anyone who believes they have found a Mozilla-related security vulnerability can and should report it by sending email to the address security@mozilla.org. For more information read the rest of this document.
Here's what Google says about it:
If you believe you have discovered a vulnerability in a Google product or have a security incident to report, email security@google.com.
Here's what Apple says about it:
To report security issues that affect Apple products, please contact: product-security@apple.com
Here's what Cisco says (they even provide a toll-free phone number!):
Individuals or organizations that are experiencing a product security issue are strongly encouraged to contact the Cisco PSIRT. Cisco welcomes reports from independent researchers, industry organizations, other vendors, customers, and any other sources concerned with product or network security. Please contact the Cisco PSIRT directly using one of the following methods
You can Google for virtually any major vendor, in the form [report XXX security vulnerability], and get instructions on how to report flaws to them.
Posting flaws to public bug tracking systems is just about the worst conceivable way to do it. Public bug trackers are not always (or even usually) monitored by product security teams. As a result, for many vendors, you can find vulnerabilities in their bug trackers they don't even know about, and nobody else does either, because they were reported to a black hole. You're actually better off writing an angry blog post than putting in the public bug tracker.