The idea to raise this topic was inspired by the statements of one of the representatives of one of the well-known office-manufacturers of software. Who is this - keep silent.
The essence is as follows: in the opinion of this representative, publishing information about the found vulnerabilities in popular software products is evil, because if the vulnerability is really critical, then attackers will have time to take advantage of it rather than fix the manufacturer. In this perspective, a certain enthusiast, having found a vulnerability, is obliged to notify the software manufacturer and calmly wait for this error to be corrected. When this happens - no one knows, depends on the "employment" of the developer.
I do not know how everyone thinks, but it seems to me to be fundamentally wrong.
Reputable companies have a staff of highly qualified programmers and developers. They can be aimed at developing a new interface (with an old engine), at developing a color scheme of the menu bar, or at eliminating errors found. How to act - to work for reliability or for fake marketing - this is already the policy of a particular company, and the publication of vulnerabilities in open sources will make it possible to identify this policy. If your product - a pink glamorous hack, filled with bugs and holes - you can release a new version every day, but competitors will still eat you.
And it seems ridiculous that a group of programmers cannot find a way to eliminate the vulnerability in their code faster than a single hacker to write an exploit and spread it. You can not work quickly and efficiently - get out of the market.
Personally, I think that it is quite normal to notify the developer about the found bug, after which, if there is no intelligible answer or a sluggish dumbbell, “yes, we will not change it, because it’s uninteresting and uncritical,”
after three working days, publish it for everyone.
I propose to discuss the topic in the comments.