Confidential discussion with the company seems like the best option -- if you're Dropbox. To Dropbox's users, immediate and full disclosure is the best policy. The bug reporter needs to choose between these extremes based on the nature of the bug and I think you're oversimplifying matters by claiming the bug reporter should always cater to the company's interests (even if professional courtesy demands granting them some leniency).

Factors suggesting immediate disclosure is appropriate:

1) High benefit of informing users (high severity bug, easily avoided if you know about it)

2) Low impact of misinformation (most of us will check back to see how the story unfolds)

3) Bad faith on Dropbox's part (they knew about this, they knew how much their customers would benefit from disclosure, yet they failed to carry through)

> There is a place for public notices of foul play by companies, certainly.

Why does there have to be foul play involved? Security holes largely exist because of negligence. As do poorly-implemented features. Not everything that is harmful is a result of evil manifesting itself.

I presume you are a dropbox employee. You seem to be staunchly defending dropbox to everyone who argues in support of this 'issue'.