I think point of hashing is to prove that researcher has indeed found the vulnerability first and reported it to the vendor. It is proof for "this summary was written by me 2 months ago".

Hash must be posted to some archived/public place (tweet, mailing list, etc) that can be referenced at later date when actual summary is released.