The following is meant to be general, rather than about this particular case.
Assuming the goal is to minimize harm, then when to disclose depends on an interplay of several factors. Here are some of them:
1. How many people will discover and exploit the flaw on their own if it is not publicly disclosed.
2. How many people will exploit it if they find out about it, but will not discover it on their own.
3. How fast knowledge of the flaw will spread to the people of #2 without public disclosure. E.g., through word of mouth in hacker or researcher circles.
4. How many users of the flawed system will be able to use knowledge of the flaw in order to protect themselves from the people of #1 and #2.
5. How long the flaw will remain available.
6. How lessons from this flaw will teach others to build more secure systems.
Disclosure affects #2 (disclosure increases harm), #4 (disclosure decreases harm), sometimes #5 (disclosure might push a vendor to action), and #6 (disclosure decreases harm).
Assuming the goal is to minimize harm, then when to disclose depends on an interplay of several factors. Here are some of them:
1. How many people will discover and exploit the flaw on their own if it is not publicly disclosed.
2. How many people will exploit it if they find out about it, but will not discover it on their own.
3. How fast knowledge of the flaw will spread to the people of #2 without public disclosure. E.g., through word of mouth in hacker or researcher circles.
4. How many users of the flawed system will be able to use knowledge of the flaw in order to protect themselves from the people of #1 and #2.
5. How long the flaw will remain available.
6. How lessons from this flaw will teach others to build more secure systems.
Disclosure affects #2 (disclosure increases harm), #4 (disclosure decreases harm), sometimes #5 (disclosure might push a vendor to action), and #6 (disclosure decreases harm).