The fact that the author had to publish a third-party patch because the vendor didn't consider it a vulnerability is not a great look