Security Posturing: Awareness, Advocacy, and Grandstanding
There are numerous stances that a researcher can take when disclosing a possible security vulnerability. The first is to do absolutely nothing -- simply hold onto it in the hopes that it can be leveraged in the future. Obviously, there is not much disclosure happening and the vulnerability will most likely never be addressed. Other, more public methods, are awareness, advocacy and grandstanding.
Awareness can come in many forms. The best form of awareness is to report the security vulnerability to the vendor and work with them to see that it is resolved. Most often, this can be done is a private and responsible manner. The information security landscape has changed in the last several years and most vendors are willing to accept and accommodate security bug reports.
Another way to raise awareness is to publicly post details of the vulnerability to blogs, mailing lists, and forums prior to notifying the vendor. That traditional "full disclosure" mentality may still have merit, but the time is long past when this is considered a truly productive method of information sharing. If that goal of security is to make people safer, publicly disclosing newly discovered or previously unknown exploits prior to a patch being made available is not furthering that goal.
Occasionally, though, recalcitrant vendors refuse to acknowledge privately reported security vulnerabilities or won't address publicly reported vulnerabilities and continue to ship exploitable products. In these cases, advocacy is an appropriate approach. This could involve simply creating an exploit for the vulnerability and releasing it. The example attack should do more than just the regurgitate the proof-of-concept in the original vulnerability. It should show a real world version of the attack and meet some defined goal. If those actions can be accomplished, more widespread dispersal of that information is appropriate, be it through forums, blog posts or mailing lists.
But, if a real-world attack cannot be constructed, the vulnerability is best left to drop until an exploit can be developed. Continued broadcasting of a questionable vulnerability is nothing more than grandstanding. Spamming mailing lists and making copypasta forums postings of half-baked ideas does not engender much respect from the community at large. To be a bit hackneyed, either "Put up or shut up", and if you can't, "quit while you're ahead".
Claiming to have some significant exploit and then refusing to release it because "it's too dangerous", rings quite hollow when it is discovered that the vulnerability was never reported to the vendor in the first place. It is also poor form to recycle vulnerability reports against a product when the vendor has addressed it in most recent supported versions. Taking a well-known, publicly reported vulnerability and hyping it in some sort of attention grabbing attempt is quite distasteful. These shallow stabs at fame-mongering are simply useless if they don't make positive contributions to the community dialog.
And sometimes, it is as much a matter of presentation as it is content. Making a conscious decisions to not take part in the established process and then later railing on that very same process does very little to improve ones professional image. A history of such behavior leads to reputation that is hard to shed, no matter how much quality or relevance some information has.
To put it plainly, if I have to ask "Is this bogus?" every time I see post on a given blog or from a particular individual, I will be much less likely to trust the source of that information over time.