We're talking about someone posting on Twitter about bugs, not someone giving secret presentations at LUGs.
I don't like telling vulnerability researchers what to do. Of all the ethical issues involved in vulnerability disclosure, the most important to me is the fact that these researchers are doing free work for the vendors, who bear all the obligations of ensuring that they're not shipping vulnerabilities in the first place. I think these debates about "disclosure ethics" mostly serve the vendors, who want to deflect from discussions about how they manage to ship vulnerabilities that third parties can find.
But if I had to have a problem with any disclosure process, it's the "secret cabal" model, which has always been an problem for me, all the way back into the 1990s with things like the CORE list.
I'm not going to argue against your position on security experts' freedom to act because I do not think that any law (or societal taboo) should be made abridging their right to disclose in any way the results of their research. If there is any withholding, I want them to do it of their own accord because they are convinced of the merits of withholding, not because of anything else. So let's set that argument completely aside because there's no disagreement on that front.
Twitter is the equivalent of your local LUG in the scale of things. My mum is not reading Twitter for security news, or even at all. What my mum is doing, is having her stuff update. And my dad's no different.
It might as well be some presentation at DEFCON. I want my vendor to disable functionality that's vulnerable. And I want them to be given a chance to do that. If you feel you are adequately warning users by fully disclosing via a Twitter post then so be it. I think I've made all the arguments I have to make on the topic. If they are insufficient, then that is where I must leave it.
To anyone reading afterwards who may not be sure about my position, I feel positively about how this vulnerability was handled.
Twitter is the equivalent of your local LUG in the scale of things.
Not really. Any serious vulnerability in a widely used product disclosed by twitter announcement makes it into the mainstream media in no time and prompts a response by the vendor (if one had not been forthcoming already). Your local LUG, less so.
I don't like telling vulnerability researchers what to do. Of all the ethical issues involved in vulnerability disclosure, the most important to me is the fact that these researchers are doing free work for the vendors, who bear all the obligations of ensuring that they're not shipping vulnerabilities in the first place. I think these debates about "disclosure ethics" mostly serve the vendors, who want to deflect from discussions about how they manage to ship vulnerabilities that third parties can find.
But if I had to have a problem with any disclosure process, it's the "secret cabal" model, which has always been an problem for me, all the way back into the 1990s with things like the CORE list.