Responsible disclosure isn't a law, it's a norm vendors invented and lean on when it suits them. Nothing legally requires you to report to a vendor first. Full disclosure and non disclosure are a valid choice as well.

Maybe Microsoft should spend less energy threatening researchers and more on not shipping the slop code in the first place.