It's ether a scam or asshats:
1. Find a flaw in something and publish as an alias on an anonymous publication platform.
2. Demand 0.5 BTC for a canned exploit or 2 BTC for the source. All anonymous.
There's no guarantee that's not a zip with "fuck-you.txt" in it.
Versus Responsible disclosure:
1. Contact vendor with disclosure and give them three months to sort it (in this case, close shop because the product is shit). Vendor can get a CVE sorted for it.
2. Release the source publicly.
3. Self promo based on (2).
This is all about selling this exploit. GCHQ, NSA, Israeli gov, Russian federation, NK have probably already paid up now because it's chump change which helps no one.
The flaw is probably legit but the researchers are dicks.