So this situation really was handled with aplomb. However, saying that we "should" handle things this way is about as dangerous as saying we "should" shout out the details of every vulnerability we find. Keeping things internal prevents the community from stepping up. I doubt that all the folks who have dealt with heartbleed were involved in SSL beforehand. But they were helpful because they knew they were needed, and their ignorance would have hurt us badly. On the other hand, shouting everything out feels like a dumb thing to do. So instead of some off-the-cuff polarizing question like "shouldn't we always handle things this way for EVERZ" is precisely the wrong response. Its actually the very wrongest.
Discretion, intuition, and rapid initiative. That is how we "should" handle these things. The specifics are case by case.