Well, yes, you can sue for anything. The barrier here isn't that publishing that a firm is subject to an exploit is specially categorically immune from defamation liability, but the regular standards for defamation, which in the US include falsity, a certain measure of responsibility for the falsity (which carries based on whether public figure or a matter of public interest are involved), and actually damaging publication.