I would say this should not be done, but not that it should be illegal to do otherwise. Setting this up sets a precedent where a company can produce an unsafe product and when the defect is found the public is not made aware of the problem *or* how to protect themselves from harm.
Imagine if I found a serious defect in a baby car seat model and could not make it public without the OK of the manufacturer? sure my butt would be covered but that would be little comfort to someone who lost a baby in the time it took me to report it to the company and the company decided whether is was worth it to recall or take the risk of being sued.
Why should a computer system be any different? Computers run hospitals, banks, and medical research facilities. Were not just talking about the risk of losing money when a computer defect causes a problem we could be talking about lives!
Because, the fault in the baby seat cannot be used by criminals to steal from or destroy others, purposefully. The baby seat requires an arbitrary accident to occur, but doesn't invite others to crash into the car to invoke it, whereas the disclosure of a vulnerability or hack does encourage those who look for such things to plan to use them immediately on unsuspecting innocents.