Within my own company, we have had discussions about how often/wide pen testing should be announced. One extreme believes that there needs to be widespread knowledge so that the hounds can be called off if production were to be impacted. The other extreme believes that op-sec is required to maintain the integrity of the test. The best answer is probably somewhere in the middle.
The DRC recently became a great example of not getting this balance correct. Yesterday, they publicly announced an attack, which got wide-spread media attention. Today, they ended up walking it back. Apparently, their white hats and their IR team were not on the same page. It also appears that the white hats may not have been engaged by the organization that owns the servers, which does create a legal risk (CFAA) for the white hats.