I guess I don’t really see how it’s a grey area. They did all of the work, it’s their data, they should be able to do with it what they please.
In the referenced incidence it’s really hard to ‘guess’ what happened
and what was said. For all we know ST approved of this going public, but even if they didn’t they clearly had Plenty of time to do something about it if they thought it was a real issue.
It would be a very slippery slope to say that Companies should have the right to control the stories about their security.
Don’t get me wrong, I’m not saying that All security vulnerabilities should be automatically published to the web either. I think Common courtesy would be to give the vulnerable company a chance to fix their issues, but they are certainly not “owed” this courtesy.