Normally I'm all for bug hunters giving software companies time to fix before going public...
... But in this case given how easy the exploit is, and how far removed from the intended functionality, I can't help wondering if disclosing earlier would have been better so people could avoid sending more unencrypted emails that they believed were encrypted