Entirely ethical. Once you've publicized them, it becomes the responsibility of the owner/person in charge of security to fix the blind spots. If they do not fix them, then they obviously decided that the risk was acceptable.
Think about it in terms of risk versus reward. If you only tell them and don't publicize it, the risk is very small. If you publicize the blind spots, then a lot more people know about them and thus the risk is much higher. If the new, higher risk is more than the cost of fixing the blind spots, then they'll fix them.
Slashdot Mirror
Entirely ethical. Once you've publicized them, it becomes the responsibility of the owner/person in charge of security to fix the blind spots. If they do not fix them, then they obviously decided that the risk was acceptable. Think about it in terms of risk versus reward. If you only tell them and don't publicize it, the risk is very small. If you publicize the blind spots, then a lot more people know about them and thus the risk is much higher. If the new, higher risk is more than the cost of fixing the blind spots, then they'll fix them.