I think it's reasonable to tell the vendor first. I don't think it's reasonable to freak out about a general, detail-free announcement, and especially not with "omg there goes my weekend" and "you're helping the bad guys" nonsense.
The mere announcement of the existence of a bug, with little enough detail that it won't help anyone find it (i.e. "RCE in Windows" is useless), does no practical harm. It might be a bit rude.
It's the announcement of details that help people find the bug that hurts. If the original announcement was "RCE in Windows due to type error in malware protection JavaScript interpreter" then that would potentially help bad guys put together an exploit before good guys can release a patch.
Stuff like responsible disclosure (coordinated disclosure would be a fine term too) is about the second one, only, as far as I understand it. It's about mitigating the practical effects of the vulnerability as much as possible, not about protecting the reputation of the company or avoiding rudeness.
The mere announcement of the existence of a bug, with little enough detail that it won't help anyone find it (i.e. "RCE in Windows" is useless), does no practical harm. It might be a bit rude.
It's the announcement of details that help people find the bug that hurts. If the original announcement was "RCE in Windows due to type error in malware protection JavaScript interpreter" then that would potentially help bad guys put together an exploit before good guys can release a patch.
Stuff like responsible disclosure (coordinated disclosure would be a fine term too) is about the second one, only, as far as I understand it. It's about mitigating the practical effects of the vulnerability as much as possible, not about protecting the reputation of the company or avoiding rudeness.