Tippingpoint, which operated the "Zero Day Initiative" bug bounty program released 22 vulnerabilities for which no patch is available [1]. Last year, Tippingpoint announced that they will release details 180 days after they are aware of a bug, even if the vendor has not yet released a patch.

The details released include a one paragraph description of the vulnerability, which in itself is usually not enough to come up with an exploit, but it may provide a pointer to re-discover the vulnerability. 

[1] http://www.zerodayinitiative.com/advisories/published/

------
Johannes B. Ullrich, Ph.D.
SANS Technology Institute
Twitter