Seems like a reasonable idea, though depending on how many users are affected that may effectively amount to going public. Also only works if the vulnerability gives you access to all customer emails, and you're willing to exploit it to get that info (which might not be a good idea legally speaking).