I work in the field and can say there's tons of researchers who submit these flaws. Not all of them can be fixed instantly, and in some instances (like this) fixing them could actually create hints for hackers to use and exploit. That's why it's often better to be silent about them and make a fix ready in case they are publicly exploited. One of the worst case scenarios is if you patch something with huge notes about it and the hackers find out about the flaw that way.
And the bad hackers? They submit these to competitors like Google who then "leak" the news about competitors flaw.