In security circles, if the reporter feels that the bug is not being recognized or dealt with adequately by the dedicated project team, then they have the option (and some responsibility) to report it to the wider community. But *starting* with public disclosure of a security issue is correctly regarded as irresponsible. It serves the ego, enables widespread casual exploits and makes the project look bad without giving them a chance to fix it first.