Imagine if every open source contributor behaved like that.

"I found performance problems in your software, but I won't disclose them until you fix them."

"I'm a designer, but I won't disclose my improvement to your project until you adjust all the CSS bugs in your project."

If that person is skilled with finding security bugs, then that could be their contribution to that open-source project, like any other contribution.