Comment by fragmede
4 hours ago
Depending on the severity of the issue. Emailing support with a draft of the blog post and waiting even a couple of hours for a response so they can fix it first would have been more responsible than dropping the blog post to the whole wide world and catching Mullvad with their pants down.
Why wait for a couple of hours for a response while people who could protect themselves are getting harmed? It's especially true when you don't know if the maintainer/vendor will get back to you at all, or if they even check their mailboxes regularly.
The priority should be on protecting users, and not helping the company responsible for the vulnerability save face, or give them extra time to spin up their PR team, or get a head start on a patch.
When the risk to users is low, or when there's really nothing users can do to protect themselves anyway I'd agree with you. In a case like this where the risk to users can be extremely high and the moment they are made aware of the problem there are steps the user can take to eliminate that risk the safety of those users should outweigh inconvenience to the people responsible for the vulnerability