That's only proof of the vulnerability. Where's the proof of it being misused by the vendor?