If the developer refuses to fix the bugs, and if those bugs pose a risk to other users, there is a strong argument to make that public posting of those bugs is the ethical thing to do.
Sev0 security issues aren't secret just because people who mean well don't talk about them, any sufficiently high valued target is going to have well funded threat actors working to find vulnerabilities. By publicly disclosing the issues, you let other customers know their data is threatened, and then customers can work together to force vendors to fix issues.
Sev0 security issues aren't secret just because people who mean well don't talk about them, any sufficiently high valued target is going to have well funded threat actors working to find vulnerabilities. By publicly disclosing the issues, you let other customers know their data is threatened, and then customers can work together to force vendors to fix issues.