Leaking hints is the dumbest conceivable way to handle disclosure. It taunts the community and sets up a race to independently find the flaw. The race happens much more openly than the original research, meaning that flaws are incrementally disclosed, ensuring that bad actors of every skill level will get a crack at the attack before it's fully fixed.

Don't ever do this, at least not for a bug that matters. It would be better not to disclose at all than to do this.

That wouldn't really be ethical would it? It would do more harm than good, such as get a lot of people arrested, tortured, killed, and discovered as spies.

Responsible disclosure is best, get it patched then release the details of the vulnerability.

There is a limit. You're also keeping information from the victims who can't protect themselves without your information.

You do realize that "leaked" information on the TOR network could cost an activist their life?