So let's say John Doe has found a critical vulnerability within X operating system.

John Doe informs the X developers about the hole, and X is patched. John Doe releases an advisory and proof of concept shortly after.

Acme Co. has a server on (unpatched) X operating system. Hacker Bob reads John Doe's advisory and uses the PoC to exploit Acme Co.'s server. Acme sues John Doe for releasing the advisory and code which was used to exploit their server.

What can John Doe do to protect himself, I'm wondering if it's possible to apply something like the GFDL or some other license to the advisory and software to prevent lawsuits or whatnot.

Any advice would be great, thanks!

ps any other tips or insights on the disclosure process would be helpful as well.