The problem is that unless you publish the vulnerability and prove to the public that it exists, the manufacturers have little incentive to spend money on a recall and the vulnerability continues to spread in the criminal community.
Publishing the vulnerability also allows other white hats to propose a possible work around that owners could implement before dealers have a permanent fix, e.g. physically removing part of the management interface from the vehicle, or just to know not to park such vehicles in high crime areas in unsecured parking lots because the car could be more easily stolen.
Publishing the vulnerability also allows other white hats to propose a possible work around that owners could implement before dealers have a permanent fix, e.g. physically removing part of the management interface from the vehicle, or just to know not to park such vehicles in high crime areas in unsecured parking lots because the car could be more easily stolen.