That’s where the second and third paragraphs come in. Because other companies likely test it themselves, too.
They’ll typically report security bugs privately and then, after X amount of months, publicly announce the bug. Doing it this way will, ideally, force the other company to patch the bug prior to the announcement. If not, they’ll end up with a publicly known security bug that bad actors can now exploit. The announcement will also let the public (including companies) know to update their software.
Fax machines are actually still pretty widely used in corporate America (but not in households at all). Especially insurance and medical companies. I remember having to ask my dad years ago to fax something for me from his work (a bank’s corporate office) since we didn’t have one in the house. (I don’t remember what the fax was for.)