This is really the only point that matters in this whole discussion: Is it fair for someone to have this information before someone else. The answer isn't a simple as the question.
If you ask me, I would want to have full immediate disclosure. The suggestion that the person reporting the bug is the first person to have found it is absurd. Black Hat interests are actively looking for these kinds of problems, and finding them is how they make a living. Forget corporations, Governments are the ones who will pay top dollar for undisclosed exploits, and something like this (enabled by default, invisible in system logs, and in software deployed so widely!) would be worth a fortune. Improperly calculating data size is the cause of nearly all of these types of bugs, so you can really save a lot of tie just examinig the lead-up to function calls that include a size parameter (memcpy() was used in heartbleed, but is just one of a group of standard C functions that you would hotlist.). But we're drifting a bit.
Heartbleed has two classes of victims: Application Vendors (include web site owners) and Application Users (including average Joe with a web browser). Is it fair that Vendors would get advanced notice to patch their systems before Users even know a problem exists? Furthermore, is it fair that only a select group of Vendors would be given that notice? I don't really believe so.
I can see how the entity who discovered the issue would selfishly patch their own systems before releasing it. I get it. But the responsible thing to do after that has got to be disclosing to the upstream vendor. Is 11 days the length of time it took to update Google's entire infrastructure? They're a strange beast, and that would be quite impressive if so, particularly on non-linux systems where package management/creation is a little less friendly. Either way, given their size, I can't honestly fault them for 11 day disclosure to OpenSSL. I can fault them for disclosing to their friends first.