The answer is actually simple. Once you have determined that there is an (to quote Bruce Schneier) 11 out of 10 security problem you need to get the servers turned off. Everywhere.
If the FBI or Interpol or Bruce Schneier basically said "There is a serious exploit in OpenSSL, you (as in every organization running it) need to shut down every server now, we will provide the details and fix in 48 hours."
Yes, the bad guys will now know that OpenSSL has an exploit. But they won't exactly know where to start looking. And you now have a tilted the foot race for exploitation back towards the good guys. They do need to move fast and get the servers disabled. And perhaps redeploy using alternate non-involved servers (in this case non openSSL.) But that will be better than letting the black hats jump in and know immediately what the exploit is and start using it.
In any case sounds like we need an RFC and strict protocol for this.