I don't think anyone's arguing that a researcher has a responsibility to tell anyone. If they find a vulnerability and then decide to completely shelve it, that's fine (if maybe a little pointless?). But if they do decide to do some kind of disclosure, I (and others) would argue that researchers have an ethical responsibility to do so in a way that they believe will do the least harm.
It's certainly reasonable to argue which kind of disclosure is the best way to achieve minimal harm, but my opinion is that it's unethical to disclose without considering what method of disclosure will do the least harm, or, worse, just not caring and going for the "biggest splash", as is what it seems these researchers did.
It's certainly reasonable to argue which kind of disclosure is the best way to achieve minimal harm, but my opinion is that it's unethical to disclose without considering what method of disclosure will do the least harm, or, worse, just not caring and going for the "biggest splash", as is what it seems these researchers did.