The courteous thing to do to the users is to let them know ASAP so they can stop using vulnerable software, without letting the vendor cover up the problem.
That's not a practical solution for the vast majority of cases. Even slow vendors can patch vulnerabilities much quicker than most institutional users can migrate software. If we stopped using software any time a vulnerability existed, we wouldn't be using much software.
This is one of the reasons that responsible disclosure policies exist, and why they are widely adopted in the industry. It is balance of risk and resources.
