There are a number of reasons why the reporting process for bugs needs a blackout window.
Just because a security researcher can discover things about a program that its own developers missed, doesn’t mean they’ve understood the entire picture. If you find one bug, you need to spend time making sure that it doesn’t represent an entire class of bugs. Once the advisory is announced, that’s blood in the water that will attract other predators. Only idiots and tourism companies chum the water before they expect more people to go into it.
Back when PHP was objectively awful, I joined the pitchforks and torches mob based on the litany of CERT advisories against it. I had an argument with a coworker about whether PHP was irresponsible to use, and the very next day someone defaced the phpBB instance he maintained because of an unpatched injection attack. I pointedly did not comment because 1) smug and 2) the timing made me nervous of being accused of having been the perpetrator.
But I did look at the patch that either just came out or that he missed, and was frustrated to find that the same pattern they fixed existed in two other functions.
I really think that it says more about a community, not in what mistakes they make, but how they learn from those mistakes. And I’d like to say it seems like SAP didn’t, but we all know what a beast that thing is. How many tens of millions of lines of code is that thing now? The chances that a person made a mistake and two people they’ve never met copied it are essentially 0.99 repeating.
Looking for and finding bugs and security issues with SAP can consume your time 24/7.
When left a fortune 500 company 2 years ago, many SAP processes were running in background on UN*X with these arguments:
-u USERID -p PW
As a developer I informed the admins a couple of times over the years, the response was "wow, will check it out". But they ran into a mountain of red tape and gave up. So nothing was ever done.
But as a developer and support person, at least I had a way to fix things without falling into the bureaucracy quicksand. FWIW, I only had to do that twice over a 10 year period around Q/E.