The guy who found the vulnerability in 2013 could have simply reported it to authorities at the time. If their turnaround was earlier than 2015, it would have worked out better, yes?
He could have reported this to the Information Commissioner's office in 2013, and then if either the company or the IC failed to do anything, then disclose, at this exact timeline.
Then, at least, the legal system would have also been given a chance to resolve this without full disclosure and potential doxxing.