Well yes, security researchers are. The ones that have a legitimate claim to the title "Security Researcher" bring the vulnerability information first to the company that makes the vulnerable software. Here's where things get tricky. As a software company, you are supposed to:
A) PAY THE RESEARCHER FOR FINDING AN ISSUE IN YOUR SOFTWARE
B) PATCH THE HOLE. (Perhaps by getting the assistance of the researcher.)
If you simply ignore the information about the vulnerability, then why shouldn't that researcher release the information publicly? You obviously don't care enough to support independent analysis of your software, nor do you care enough to patch it. This means that you are then a liability to your customers, and they deserve to be informed. This is no different than the current movement by regular citizens to demand that the governments of the world put into place laws that reveal when security breeches occur which would have left personally identifiable information vulnerable.
If you are unwilling to put the time, effort and money into your products to secure them yourselves then you deserve to go out of business: your products are a liability to those who use them.
Security Researchers shouldn’t just be paid for their work; their work should be funded by a coalition of all software development companies, and managed by an industry organisation. Companies and individuals should have to get a licence to be allowed to release code into the wild, that licence fee should scale to the size of the project, number of customers and the amount of personal information that code can potentially put at risk. (You pay a fee each year to register your car, and periodically to renew your driver's license, I see this as little different.) That money should go to the aforementioned industry organisation as a means of creating a "bounty pool" for security researchers. This then would be guaranteed funding for them, incentive for them to continue, and would mean that legitimate researchers would be registered with the industry association. These people would have their “white hats” firmly in place. ("Rogue" researchers would thus be firmly into “grey hat” territory and could be thus legitimately hunted. “Black hats” wouldn’t bother disclosing anything publicly to begin with.)
This would have the added bonus of ensuring that the information discovered by these researchers would have to be disclosed to the industry organisation, and all companies would have a minimum time to respond before the organisation itself published that information. The timeframe available would be shorter based on the seriousness of the bug.
Don’t try turning white hats into criminals. White hats are the only defence you have against black hats.