At least a responsible response
No attempt at spin or denial, more "how the f*ck did it get here" and "let's fix this asap".
I'd reserve your downvotes for the Twitter feed of the security "researcher". who released exploit code without even bothering to inform the software authors. To me, that's malice with intent and could well create culpability for this Akkuş chap if someone gets breached because of this stupidity.
There is a long established protocol for this: notify, wait (time set either together with product owners or at least a sensible default), THEN publish. As Steam has found out, if you don't work with the researcher you will end up with an arbitrary waiting time, and thus with your trousers down when it goes public, but researchers who do not follow protocol are far more liable to end up with prosecution.