I understand the various incentives for Onity, and I think a great incentive for them is, given six months to address the issue, knowing it'll be made public, to take at least some proactive steps such as notifying large customers or being ready upon public disclosure with a mitigation plan.
His whole blog entry is a lot of handwaving to cover up the fact that he never even gave them a chance to do something anything like the right thing.
That being said, I think this kind of thing should be covered by whistleblower protection laws (I don't know if it's ever been tested)... although it seems those are only enforced when it's convenient.
So while I think he may have reached the right conclusion, I don't think it was for the right reasons. If sufficient protections for disclosers are in place, this should be a relative non-issue (though it makes sense to adjust the disclosure window based on the ease and risk of the vulnerability in order to apply pressure for an expedited fix)
 Given there's no payout for the researcher other than having the vulnerability fixed, it is conceivably not too hard to defend against. That doesn't change the fact that they can be sued, which is expensive, time-consuming, and stressful.
Alternately, do so 'legal anonymously', perhaps by the EFF approaching the company and saying "we have in our possession information on a security vulnerability in your product. We want to give you information on it. In six months this information will be made public. We ask for and want no compensation or consideration at all."
That's it. There exist methods to do this safely; Daeken could have done it, and didn't.
I'm not paying a lawyer because you have broken software that I had nothing to do with making.