Sloppy or Oddness:
The timing between "attempt to contact vendor" and exposure as zero day is pretty short. Exactly 3 months from creation of proof of concept - file created in August: 1 month from "chat" to publish.
https://gist.github.com/tipilu/53f142466507b2ef4c8ceb08d22d1278
Is "online chat with customer support" a reasonable attempt to get the vendor to realize what the problem is?
#09/11/2017 - Attempt to contact vendor
#10/03/2017 - Live chat communications with vendor regarding no reply
#10/25/2017 - Attempt to contact vendor
#11/02/2017 - Advisory published
Web searches for "Debut Embedded HTTP server" don't turn up any open source, and I can't find any mention on Brother's page that their HTTP server is called "Debut". That name only occurs in the reports about this problem.
CVE-2017-16249 doesn't exist yet. CVE-2017-12568 does contain the same info.