[dependenttypes]

He does not have any responsibility against anyone. He released his software in public domain with the source included for free.

[loup-vaillant]

When you release software for the world to use, tell everyone it's secure, even put up a bug bounty… that kinda means you are taking responsibility.

[morelisp]

Putting aside question of if can have responsibility for freely-released work (especially when one has made a big deal of money offered in exchange for this kind of finding), at the time this bug was discovered the software was emphatically not in the public domain and difficult to distribute modified versions of despite available source.