Would love more details, since shorting a stock when you know about a critical product vulnerability sounds like "material nonpublic information" to me which would make this insider trading.
I wonder if this is more along the line of finding an exposed database in the wild, or tracking down OEM suppliers and buying samples.
It's hard to love people doing this, because they could have disclosed this privately, but I think it _is_ fair to impose a high cost on not ensuring security, and this is one way of doing that.
You're free to discover flaws in products and trade ahead of announcing them.