[kevincox]

If you assess that the best time to publicly disclose is immediately then disclose immediately.

But I find that this case is rare. Typically it would be something like many of the following being met:

- It is likely to be discovered by an attacker soon.

- History shows that the company is unlikely to fix it soon.

- Users have some way to protect themselves.

- Your disclosure is likely to reach a significant number of users.

[akerl_]

How do you know it hasn’t been discovered by another attacker already?

[ranger_danger]

You don't, but you make a judgement call based on different criteria, such as how difficult the issue was to find, maybe how popular/big the site is, etc., as to whether or not you think anyone else is likely to know about it already.