I'm personally of the opinion security flaws should be made public. Of course there will be people out there who will exploit the information, however, who's to say you're the 1st to discover the bug?

Making the bug public at least gives users the opportunity to do *something* (extra monitoring, taking down the service etc etc), rather than being blindsided by a previously "unknown" attack...

I'm also a fan of letting the vendor know about the exploit before going public, so at least they have some time to respond...