To be fair there's never a shortage of work to be done. And you're right, they didn't disclose a vulnerability but my point is that the role of gray hats typically is to emphasize known issues exactly because they are known but remain unfixed. I hold the position that shitty situations create better systems or fast-track the inevitable failure of bad systems. Dev time is truly lost on projects that are doomed to fail but do so slowly.