Oracle: Oracle encourages independent security researchers to follow a 'responsible disclosure' policy. Researchers notify vendors about a vulnerability and do not publicly disclose information regarding the vulnerability until we have released a patch for it.

... which is all well and good under you realize that Oracle is horrible about patching security issues, regularly taking not weeks, not months, but years to release a patch. If Oracle thinks security researchers are going to wait years, they are mistaken. At that point, its irresponsible not to release a public notice.