No, the one does not follow the other.
Hacking tools are built by clever devs, yes. They are sometimes picked up by script kiddies, sure. Where the vulnerability information they are based on comes from is an open question.
There are established market places for information like this, which wouldn't be the case if it all came from public disclosure reports. It seems likely that a goodly proportion of the data publicly disclosed is actually being rediscovered by legitimate researchers, and is in use already as an attack vector.
Publicly disclosing ASAP in those cases is essential.
Part of the problem is that it's very often unclear when those cases are, hence some in the industry leaning towards general disclosure (as Google and Linus promote), and others leaning towards selective disclosure.
Biting the hand that feeds IT
