There is a place for public notices of foul play by companies, certainly. Normally, though, those accounts garner my sympathy when they explain the full support story and get snubbed by a represenative, usually after at least some waiting.
Not saying that the OP didn't wait plenty of time, but I would find his complaint more compelling if he would have mentioned how long ago he contacted them.
Confidential discussion with the company seems like the best option -- if you're Dropbox. To Dropbox's users, immediate and full disclosure is the best policy. The bug reporter needs to choose between these extremes based on the nature of the bug and I think you're oversimplifying matters by claiming the bug reporter should always cater to the company's interests (even if professional courtesy demands granting them some leniency).
Factors suggesting immediate disclosure is appropriate:
1) High benefit of informing users (high severity bug, easily avoided if you know about it)
2) Low impact of misinformation (most of us will check back to see how the story unfolds)
3) Bad faith on Dropbox's part (they knew about this, they knew how much their customers would benefit from disclosure, yet they failed to carry through)
> There is a place for public notices of foul play by companies, certainly.
Why does there have to be foul play involved? Security holes largely exist because of negligence. As do poorly-implemented features. Not everything that is harmful is a result of evil manifesting itself.
Not saying that the OP didn't wait plenty of time, but I would find his complaint more compelling if he would have mentioned how long ago he contacted them.