"Reported-by" reads like: "this person mentioned the problem to us". In this case he did all the heavy lifting which is like 95% of the work. How is reported-by a proper accreditation? I feel like many commenters here never had to debug any complex or subtle, hard-to reproduce bugs. Either that or there are many assholes on this site.
Well, maybe there should be a 'contributed an improperly signed patch with issues' tag that would cover the situation. But in the case of mailing to a security list your general expectations should be to hope that it will be included, and hopefully speedily.