Yeah, isn't it pretty standard to first report privately, then report publicly if they don't take any action (and you believe it to still be an issue)? That seems consistent with mosr organization's responsible disclosure practices.
this is standard, but there are people out there that believe this is malicious/blackmailing behavior. I think it’s the most responsible thing you can do here. This guy could’ve made a bucket off this find, instead reports it responsibly and mitigates the risk (with his own money invested) and gets told to pound sand.