The vulnerability was public, known for years, and no doubt already exploited. Making a splash about it on GitHub, popular as it is with rails hackers, is the best thing that could happen to the security of the rails ecosystem.
The class of vulnerabilities was known but not this particular case. That's like saying people should be publish 0-day buffer overflows because it's a known vulnerability class.
