I'm old enough to remember when you didn't disclose vulnerabilities unless and until the impacted organizations/software projects had the ability to patch and had been given time to patch. But I guess everybody just loved shitting on WordPress too much and it was too easy to just extend that to everything else.