Responsible disclosure isn't a law, it's a norm vendors invented and lean on when it suits them. Nothing legally requires you to report to a vendor first. Full disclosure and non disclosure are a valid choice as well.

Maybe Microsoft should spend less energy threatening researchers and more on not shipping the slop code in the first place.

Or maybe they shouldn't revoke the very accounts researchers are required to use to communicate exploits to MS?