Giving security flaws the publicity they deserve: I’m most unreservedly in favor.

Using publicity to hold someone hostage in order to extract money while hiding behind security concern claims: not a good image.

If I were in a situation where I have nothing to eat and urgently need to liquidate such a domain, I would raise awareness publicly but negotiate in private. If I were relatively well-off, I would arrange a pro-bono handover, publicly or privately, and of course try to raise awareness anyway.

To make matters worse, the sale appears to be handled via an auction. The wide publicity given to the event via Brian Krebs’s website must have attracted attention of a wide range of players, motives unknown. For a reputable corporation to find itself bidding against a theoretical Bitcoin millionaire blackhat is far from desirable on a couple levels (I doubt auction’s KYC can really prevent that, but if it is strict enough then I take back this particular concern).

Thus, the situation as it is just seems to smell to me, though I’m not entirely ruling out good faith with unfortunate execution.