No. That's one of those ideas that sounds great on paper, and in the real world consistently fucks people over. At this point, by posting the vulnerability, we'd be violating our own code of conduct:
In this case, 37Signals has already been notified. They've been told about other flaws on public forums and not fixed them. What would we be accomplishing?
So you think the right plan is to punish the end-users and hope the vendor notices? Do you read Bugtraq? It's a mess.
This strategy works better. Several thousand people have already read Dave's article. We don't have to worry at all about the "wrong people" getting details and messing with other users. This seems like a win-win.
I think a company that goes: "OMG this is a serious vulnerability and there's lots of instances of it throughout the whole system but we'll fix ASAP!!" deserves a longer grace period than another that says: "SO WHAT man, our thing just works...".
