They are supposed to disclose the vulnerability after fixing it, so their users know they need to take action. That's what the original commenter rightly complained about.