Alternately, do so 'legal anonymously', perhaps by the EFF approaching the company and saying "we have in our possession information on a security vulnerability in your product. We want to give you information on it. In six months this information will be made public. We ask for and want no compensation or consideration at all."
That's it. There exist methods to do this safely; Daeken could have done it, and didn't.
I'm not paying a lawyer because you have broken software that I had nothing to do with making.