I'm all for 'coordinated vulnerability disclosure' and giving software makers plenty of time to fix their stuff but I don't believe anyone should be forced to do so.
If someone finds a vulnerability in software they should have the right to do with it whatever they want, whether they inform the company, keep it for themselves, make it public or sell it for profit.
Motives like personal beliefs, financial gain, hate for the vuln company or simply wanting to screw over a couple of thousand people should not matter.
It was after all them who found it, not the people with full access to the code who ware supposed to prevent these things and get payed to do so.
All this 'debate' on the subject just looks like companies trying to find ways to make it illegal to point out when they have failed until the issue has been forgotten and is no longer relevant.
And lets face it... the internet without vulnerable people? Wheres the fun in that? I'd have to get my viagra spam some ware else, I just can't imagine starting my day without reading 10 emails telling me how I need larger genitalia.