What disappoints me the most is that the RoR maintainers made almost exactly the same mistake a couple of years ago, trying to keep a security flaw under wraps rather than being forthright about it.

It's an ego thing. Nobody wants to admit the fact that they made a major mistake.

I look at it differently, though. It's your fault if you use open-source software that's insecure. The code is right there; if finding the vulnerability was so simple to find and fix, you could have found and fixed it yourself. Since you didn't do that, you really have no right to deride the developer for also missing it.

It's easy to play blogger pundit, but harder to write software that people find useful.

Technically, they did contact many of the people who run the biggest ruby on rails websites before the announcement, which was kind of them.

Especially since it turned out to be a DoS attack vector rather than outright hacking, they really had nothing to hide.

actually they've done that several times now.