Part of this story is that this man seems to have found a genuine, severe vulnerability, but he has had to put in solid days (weeks?) of his own time to convince the devs of that.
This comment from X is interesting:
Watching with interest. I've been sitting on a number of RCEs for years (far less reach than this one though) that vendors wont acknowledge but I don't want to go through the legal hassle of just dropping them.
I was thinking, if the devs refused to acknowledge an issue you could light a fire under their asses by telling them you will disclose it in one month. If they truly believe it’s a non issue there is no problem. If they know full well it’s an issue they’ll fix it. Either way, you should be in the clear since they told you it was not a vulnerability.
Now I’m thinking you would have to have some clear receipts to cover your ass. Even if the devs told you it was a non issue, if it could be proven that you knew better you could be sued into oblivion for releasing it.
Yeah, A lot of security researchers do exactly this. They say "I'm going public with this in 1 month".
It is amazing how many dev's/companies just don't care and won't fix it until it could publicly cause them a lost of $$$ or respect in a community.