"The researcher responsibly disclosed the flaw to affected providers but had no luck with Cyanogenmod maintainers"
Let me guess, he approached some key developers directly and got no response? I suspect they get a lot of time-wasting contact from people who claim to have found vulnerabilities, and being a small firm probably don't really have the resources to deal with every out-of-channel bug report, so probably ignore them all unless they're from people they recognise.
Perhaps there should be a way of submitting bugs to their public bug tracker (which I think is Jira) in such a way that only the development team get to initially see the bug, to aid in responsible disclosure of security issues. Or is there such a way already?
As for the vulnerability itself, at least we'll get a flashable patch in a couple of days. That proves the benefits of CM over manufacturer firmware if anything does.