Lots of people are saying "But the sites are already exploited" ... they are probably still exploitable further also, and GH/GL don't want to be at that party.
No, they would not be required - they are a private business and set their own terms.
As for being responsible - that is their motivation.
Should I assume that now you have access to this list that you will be contacting the site owners to notify them their sites are infected & exploitable? Would that be responsible on your part?
This is not about whether they are legally required to do anything, but whether what they are doing is responsible behavior.