[araneae]

If you don't consider yourself responsible for the introduction of the exploit, I'd say do what academics do: publicly publish the exploit.

If you are responsible in any way, though, I'd recommend informing of them of the problem. You don't have to fix it, just tell them it's there.

[cgranade]

In defense of academics, it's quite common to first notify the vendor so that they can prepare a countermeasure for when the exploit is published. In general, publishing without making a reasonable attempt to contact the vendor is irresponsible at best and often down right unethical.