Late last week a hedge fund by the name of Muddy Waters and information security company MedSec made a surprising maneuver. They shorted the stock of St Jude Medical after telling them of two vulnerabilities which St. Jude Medical said were non issues. After being told this, they shorted the stock and published their findings. The St. Jude Medical stock took a 10% tumble on Thursday and a further 2% before trading was halted. MW with MedSec made a tidy profit.
This is the first time we have seen vulnerabilities in cyber defenses being actively exploited to gain a market advantage by hurting a publicly traded company.
So considering the general path for disclosure is either tell the vendor and wait, or sell the vulnerabilities into the vulnerability market (if they can find a buyer) this shows a departure from the standard venues to people finding vulns and making a profit.