and these are the good guys?
"its policy against silently patching vulnerabilities, which stipulates that if companies violate that policy, Rapid7 will itself release the full details of the vulnerability, including enough information to allow people to develop exploits, within 24 hours"
I absolutely accept that patching without disclosure is bad news, but to insist that disclosure precedes patching merely contributes to global vulnerability. It should be sufficient to disclose immediately after release of a patch -- to give customers the opportunity to protect themselves properly.
I detect many cases of an increasing detachment between vulnerability investigators and the realities of ensuring security, ranging from (let's face it -- threatening) stipulations of this kind to disclosure of obscure attack vectors with recommendations that could interfere disproportionately with legitimate operations (such as a recent suggestion that thermal imaging cameras should be prevented from viewing keypads because they might be used to crack entry codes, thereby also preventing their use in, for example, forensic examination).
But it's all the more problematic when the discoverer of a vulnerability attempts to place a vendor over a barrel. I know there's an (often valid) argument that vendors are negligent and unresponsive when alerted, but I'm quite convinced that threats and "protection" tactics are not the answer -- they perpetuate an antagonistic culture that exacerbates any non-cooperation.