[kelnos]

The funny thing about that is I find his code to be very difficult to read (even just the snippets in the linked CVE illustrate this).

And his attitude is just bonkers to me. "I'm not going to fix this exploitable security issue because I assume that people will configure their environment in a particular way." What? That's... flat-out irresponsible.

[dependenttypes]

He does not have any responsibility against anyone. He released his software in public domain with the source included for free.

[loup-vaillant]

When you release software for the world to use, tell everyone it's secure, even put up a bug bounty… that kinda means you are taking responsibility.

[morelisp]

Putting aside question of if can have responsibility for freely-released work (especially when one has made a big deal of money offered in exchange for this kind of finding), at the time this bug was discovered the software was emphatically not in the public domain and difficult to distribute modified versions of despite available source.