I seem to be alone
in wondering what is the point at all in publishing this 'research'.
I see the company would benefit from his initial advice, but I can share their concern about subsequent publication. How would they know all users had patched?
What value does the wider community get from knowing the entrails, rather than the existence, of this vulnerability? OK, if it is novel then some anonymous details might help other programmers, but otherwise I reckon blurting the works is no more than self agrandisment.
Even though I am very doubtful about the publication idea, If it were me a polite request to defer and a bottle of champers would be infinitely better than raising the landsharks. That does smack of management-by-panic.