Purely hypothetical situation:
A researcher finds a critical security hole in a major company, instead of informing the company, the researcher decides to release the vulnerability to the world in full detail. The researcher does not exploit the vulnerability in anyway but someone who reads the disclosure might.
Has the researcher committed a crime? Can the company successfully sue?
I’m wondering about in the United States but if you have insight on another country, please enlighten us.
I am NOT recommending this, just wondering what might happen.
This really depends on the law under which you and the vendor will be. In some countries this can be illegal and you could be charged with accessory to commit cyber crime. In other countries, it is perfectly fine.
In any case, a general rule, which is true in most countries, is that after a decent amount of time (30/60/90 days) you cannot be held liable. But this requires you to let the vendor know.