Even if the company doesn't have a big bounty publishing exploit code without warning them is unethical. Moreover, a lot of these projects are FOSS without a company which could pay bug bounties.