It’s not an example of security by obscurity, it’s a straight out security flaw and bug.

If it’s not publicly known and is a security risk it is far more effective to directly contact the developers / companies security team so they can immediately work on actually protecting people by developing a patch. If they don’t respond quickly (subjective, I’d call it within 12 hours) or fail to issue a fix in a timely manor (subjective, I’d say 24 hours) then yes - go public, start by logging a bug report and link to that bug report or if you can’t - the bug number / reference.

This is the most idiotic thing I've heard in a long time. Yes, they were already at risk, but with the way he disclosed the information, the risk increased exponentially. This guy's actions were either stupid or malicious.