So if I found a vulnerability that lets hackers withdraw withdraw all the money in your account without a trail on where the money went, you'd be fine with them disclosing it to the public at the same time as the bank learns about it?

Even when there is no known use case of the attack (other than the security researcher's)?

> The vulnerability exists for me either way, and I'd rather have the chance to know about it and minimize risk

By the time you hear about it, the money could be gone because 1000 hackers heard about it from the researcher before you did.

> than to be surprised by the fix and hope nothing bad happened in that meantime.

Hope is not a good strategy here.