I am all about exposing vulnerabilities but I honestly think there needs to be a dialog with the vendor first. Specially for exploits like this where there is a lot at stake.
I find the excuse of 'there is nothing they can do anyway' very poor. I have no doubt that this technique is known to locksmiths and law enforcement and maybe a smaller group of criminals. But making this public and exposing it to the world will allow any criminal with a soldering iron and an Arduino to start exploiting this.
Daeken, you have done an awesome job making this known. Maybe that it enough to get the ball rolling. Or do you just want to do damage for fame and profit?
Upon discovering the vulnerability, the only real action he could take which would be universally considered unacceptable would be to use that research to go around breaking into hotel rooms (which is illegal).
If he decided to go into business selling devices to bypass hotel room locks, there would also probably be a majority opinion that that isn't really "above-board". Even that isn't necessarily universally agreed on though (as there are a lot of people who argue that providing access to tools isn't criminal)
But he didn't do that either.
He decided that this was a pretty severe vulnerability (made worse by the fact that remediating it isn't trivial), and that he wanted people to know about it.
Hoping that the vendor will sue him to prevent that information from being disseminated is about the worst possible outcome from research of any kind; ignoring the fact that you don't seem to posit any rationale for what exactly they'd be suing about (protected trade secrets? violation of a license agreement?)
The thing about "responsible disclosure" is that it isn't something that exists by fiat. It's an intentional reframing of disclosure policies by vendors to attempt to steer the research community towards doing what's in the vendors best interests.
I understand their desire to reframe that policy, but that doesn't make it "the only ethically responsible way to conduct vulnerability disclosures".
Recently, there's been a lot of news about BMW's being able to be stolen trivially through access to the OBD port on certain models. There's an OSVDB entry for it and everything‡.
That's another example where providing information to the public was considered to be very important (like the issue Cody discovered, it's also not something that can be easily fixed. It's also been ignored by the vendor).
In virtually all other regards, making research public is considered the responsible thing to do.
While I'm not a card-carrying member of the full-disclosure sentiment, I strongly disagree that releasing research publicly is boolean irresponsible.
Full disclosure is a lot of fun, and it increases the status of geeks like us, so it's really to approve of it. I did when I was in college.