I did a quick perusal of the security overview (linked above) and this is exactly the way that you handle a security issue. Namely, researcher contacts the vendor first, they isolate and define the security problem, issue report back to vendor. The vendor fixes the issue and then, and only then does the researcher report the problem to the world.
What happened in Jeep's case was irresponsible and wrong. It could have jeopardized innocent people as well.
I did a quick perusal of the security overview (linked above) and this is exactly the way that you handle a security issue. Namely, researcher contacts the vendor first, they isolate and define the security problem, issue report back to vendor. The vendor fixes the issue and then, and only then does the researcher report the problem to the world.
What happened in Jeep's case was irresponsible and wrong. It could have jeopardized innocent people as well.