I gave Diaspora advice on fixing the vulnerabilities then a week to do it prior to mentioning anything more specific than "There exist multiple very bad bugs here."
I mis-remembered. It is interesting to read that thread again[1] since there was a similar discussion about disclosure.
FTR, I don't think that the gap between saying there is a security vulnerability and describing it is very large, especially when the audience contains capable penetration testers.
