[darren_]

This case is not 'the wrong thing'. The wrong thing is selling this data to criminals, or not publishing it at all because odds are someone else is going to find it eventually.

What you're calling "the right thing" isn't zero cost. It takes a fair bit of time (spaced out over a period of months, by the way, so it's not a fire and forget it report) to report a vulnerability to microsoft and follow up with their security team. More so if your vuln is at all interesting or complex. You may have to write PoCs. Your vulnerability will be patched in 4-6 months (not exaggerating, although this will obviously be quicker if it's made the news somehow), and you'll get a minute credit in their patch tuesday notes.

So no, the morality of this is not obvious. Where is my moral obligation to effectively do charity work for a megacorp that can't be bothered to keep up with industry standards in security?