It seems to me that disclosing vulnerabilities is in a different category from disclosing fraud. In the latter case, the only entities that suffer materially is the fraudulent organization and its investors, in the former you have the additional potential to expose all users of the vulnerable software to risk.