Usually, these kinds of articles are released after the company fixes the security vulnerability. The company actually works with the security researcher and gets them to hold off blogging and publically reporting the bug. Companies like that because then there are no zero-day exploits, and researchers do it because that industry is entirely reputation based, and if you tick off enough companies, you’re out of a job.