In the OP's case, where the unexpected feature was already officially alluded to, sure. But I think there are probably some unintentional security holes in which it's probably prudent to use a private channel first, and then after it's been fixed or a reasonable amount of time, disclose the problem. The problem, IMO, is worth disclosing publicly even after it's been fixed because it may be indicative of problematic internal practices that may require public scrutiny (or humiliation) to actually fix.