Yes. The underlying problem is that knowing about the vulnerability is not an issue. Getting to the point you know about and are sure it’s a vulnerability almost certainly will implicate whoever discovered it in a CFAA crime (and those punishments are ridiculously severe for what counts as committing them in most cases).
Most of these things are best done across non-cooperative international borders, just to reduce the incentive for ‘throw them in jail’ as a easy ass covering measure.
Most of these things are best done across non-cooperative international borders, just to reduce the incentive for ‘throw them in jail’ as a easy ass covering measure.