I see both sides of this. If you put an announcement right away then more people could potentially exploit the Vulnerability until it is patched. On the other side with all of the legislation out there I also do not want to be responsible for vital or private data being stolen because I did not know that was a risk to my data. There needs to be some way that companies that have to be SOX/PCI/HIPPA (US) or the EU’s equivalent of those laws to know that there is a risk out there. There could also be some serious financial impact to companies because they did not protect themselves from the threat.