OK, conversely, you're saying that you should do the wrong thing (as in this case), if there is no financial incentive?
Given you aren't going to get a reward either way, why not do the right thing?
Frankly, I can't believe I need to discuss the morality of this. Is it not obvious?
And yes yes, I realise this is probably a case of Hanlon's Razor, not a moral failing, but justifying it on the grounds of there being no reward is crazy.
This case is not 'the wrong thing'. The wrong thing is selling this data to criminals, or not publishing it at all because odds are someone else is going to find it eventually.
What you're calling "the right thing" isn't zero cost. It takes a fair bit of time (spaced out over a period of months, by the way, so it's not a fire and forget it report) to report a vulnerability to microsoft and follow up with their security team. More so if your vuln is at all interesting or complex. You may have to write PoCs. Your vulnerability will be patched in 4-6 months (not exaggerating, although this will obviously be quicker if it's made the news somehow), and you'll get a minute credit in their patch tuesday notes.
So no, the morality of this is not obvious. Where is my moral obligation to effectively do charity work for a megacorp that can't be bothered to keep up with industry standards in security?
Well, I was just trying to guess their reasoning. I'd have no problem doing The Right Thing™, but I'm nowhere skilled enough to find a vulnerability anyway.
As it stands I don't think there is much harm done because it's a local vulnerability, crashing a user-mode process. Annoying, maybe, but my graphics driver has a far worse track record as far as bluescreens are concerned.
Given you aren't going to get a reward either way, why not do the right thing?
Frankly, I can't believe I need to discuss the morality of this. Is it not obvious?
And yes yes, I realise this is probably a case of Hanlon's Razor, not a moral failing, but justifying it on the grounds of there being no reward is crazy.