Approaching the maintainers would be ideal but time-consuming. Disclosing it like this is neutral I guess. Better than selling it in the darknet.

I do wonder though: if you can tell the AI to search for vulns, can't you also tell it to contact the right maintainer for each one found?