There is no "people in charge of heartbleed". There's a bug in the software which went unnoticed by the OpenSSL software maintainers for a very long time, and was discovered by a Google employee recently. Given the person who contributed the bug, it's unlikely that he did it on purpose, he was simply incompetent. The maintainers of the software should generally be considered competent, but they overlooked the bug when they reviewed and accepted the contributed code - there's no reason to suspect foul play, it was most likely a honest mistake. It is possible that a surveillance organization with significant resources might have discovered the bug independently, and used it themselves. It's not, at this time, known that information about this bug was on sale on the black market, so it's unlikely that there was large-scale criminal abuse of this bug prior to information about it being openly published.
With the knowledge that the bug exists, full disclosure is really the only ethical thing that Google and OpenSSL could do. If they just released a fixed version of OpenSSL software, well, there's a lot of not-so-nice people looking at recent changes in the code of this security relevant software, and it would have been super obvious to them what happened there! Not a few hours from then, the information about this highly exploitable bug would have been on sale on black market and would be spreading rather big among the criminals. In the meanwhile, the change would take half a year to propagate to the majority of installations. Half a year in which criminals could retrieve a terrible lot of data. The only solution was to alert everyone at the same time, and loudly so that really, really everyone running the software server-side takes care to update it. The request to change passwords is so that the data that may have been collected by criminals in the hours (or days) between disclosure and deployment of fix can not be used to compromise people's accounts.