The question is whether it's easier for the security researcher or the users. I don't think it's easier for the users if they end up being exploited for weeks while the vendor rushes to fix it.
If the vendor tries to delay you for months or ignores you, sure. But it doesn't even seem like he tested the exploit here to understand whether it was a serious threat.
They're not his users, and the company- who allowed these vulns. in the first place- isn't trying to pay him for his work; see Google, CCBill, Mozilla, ect.
If the vendor tries to delay you for months or ignores you, sure. But it doesn't even seem like he tested the exploit here to understand whether it was a serious threat.