I believe its Adobe policy to only announce security issues if a fix is available. At least, that's how the policy was a few years back. I assume it's still the same.
It's most vendor's policy, but it usually goes out the window when reports of exploitation surface. If you're hearing about the attacks, it's real, it's bad, and there's no point to choreography anymore.
