Publishing a critical security vulnerability

Assume – you find a critical security vulnerability in your software product (through code inspection) and published a new version which contains the fix.

What are the next steps you should do. Do you let know your customer/evaluators, do you publish the security vulnerability on particular forums, are there any legal requirements …

The concern is that hackers might find out about the vulnerability before the users have had an opportunity to update their environment.