Comment by TomatoDash

I wonder if that behaviour is misconduct under the rules of the researcher's university. It seems at least highly questionable for a university employed researcher to, in effect, feature request a privacy vulnerability in order to later be able to publish an academic paper on that vulnerability.