But a tweet isn't really the most effective way to tell everyone. Technical people, including those who would use this vulnerability for malice, will find out far far sooner than my grandmother.

It seems to me the right thing to do is to tell Apple privately, tell them to either push a fix or put out some kind of release letting all their customers know how to mitigate this in the next, say, 3 days, or I'll just tweet about it. What's the downside? At the worst case, you just prolonged the status quo for another 3 days.

It's not the most effective, but that doesn't make it bad, or malicious.

I agree this person isn't malicious, certainly. But I do think his decision was bad. Not "bad" in the moral sense, but "bad" in the sense of being sub-optimal.

Was his tweeting strategy more or less "sub-optimal" than Apple's security QA? I think we're focusing on the wrong part of this story.