A few things to clarify:
- he did notify AV vendors trying to get money out of them (I've seen this document in my Inbox a few months ago).
- almost all the vulnerabilities are in old versions of the software (at least in my case), which is like saying: "I've found a vulnerability in Windows 98SE"