My GOD yes. I spent too much of my life explaining this distinction, not just to vendors, but increasingly to others who think that the vulnerability disclosure model in infosec should be imported to other disciplines (perhaps), but with a little "extra responsibility" (that's not how this was negotiated in infosec, and that's certainly not the way to start exploring the trade-offs in your own area of concern.)