How about releasing the vulnerability in stages? The author jumps from unresponsive vendor to releasing exploit code. What if you add steps between the two?
For example:
- Announcing a vulnerability has been found and identifying the unresponsive vendor.
- Announcing what the disclosure timeline will be.
- Detailing the product lines known to be affected by the vulnerability.
- Publishing communication with the vendor so far with any details about the vulnerability redacted.
- Private disclosure to professionals (doctors & journalists) to have them independently verify that the vulnerability exists and help with raising awareness.
- Full details about the vulnerability, but no exploit code.
This just sounds like responsible disclosure to me. With added steps because the "responsible" part requires you act differently due to the possible risk involved. This is likely the best way to go, and I'd expect to see some legal advice back it up were it to actually happen such an exploit existed.
For example:
- Announcing a vulnerability has been found and identifying the unresponsive vendor.
- Announcing what the disclosure timeline will be.
- Detailing the product lines known to be affected by the vulnerability.
- Publishing communication with the vendor so far with any details about the vulnerability redacted.
- Private disclosure to professionals (doctors & journalists) to have them independently verify that the vulnerability exists and help with raising awareness.
- Full details about the vulnerability, but no exploit code.