Well, they've sort of got a point
Don't know all the details here, but I can see where they might have a point. Vulnerabilities are usually disclosed via *examples*, right? Using the real account of another person, presumably without their prior permission, seems entirely unnecessary. You could just create a couple of example accounts and be perfectly able to demonstrate the flaw without violating anyone else's privacy.