> POC of <Vulnerability Description> CVE-XXXX-XXXX
I think this is ethically problematic because while it informs the users of this critical vulnerability in the software product and also advices them to update it, at the same time it also gives the attackers a readymade recipe to exploit this vulnerability. Now, an argument could be made that the attacker themselves may look up the openly published CVE and figure it out on their own, but that's quite different from handing them the master key like this.
In fact, looking at this from a slightly cynical perspective, the author of this piece could be seen as actually egging or inviting trouble to the said product from potential hackers?