I beg to differ. That seems a false balance to me. It takes a pretty bad lie detector to misplace those boundaries in this case.
Anyhow, it doesn't matter: Just release the exploit publicly. The only reason I can comprehend not to do so is a plan to use it personally in future, for extortion or malice. But I may be missing something.
I think you may be. He may just be not interested and also have no desire to be involved.
If he is mistaken, then he is setting an annoying trap for bears.
If he is lying, well then... he is acting unethically.
If he is telling the truth he is giving a warning for devs and investors.
I hope he explains the exploit.