Just a quick note on terminology (and apologies if this was already corrected in the ensuing pages of replies I haven't gotten to yet). You are describing "white hat" (or "ethical") hackers. "Black hat" is who have now been alerted to this PTP flaw and will be working to make money off it rather than report it to Canon.The researchers did eventually find the keys but ML did not leak them, a quote from the article: "Being open-source, we hoped that ML would somehow publish this encryption key, allowing us to decrypt the firmware on our own. Unfortunately, that turned out not to be the case. Not only does ML intentionally keep the encryption key secret, we couldn’t even find the key anywhere in the internet. Yet another dead end."
"Usual" black-hat "policy" is to wait till a solution is published or two-months if the company is blowing you off. It seems like the former although they may have rushed it by a day or two to present at a conference.
I agree it's a big deal but it's better to have it done by a black-hat than the next round, probably looking at other brands, that wont be. Search for "security by obscurity" and you will find many resources on why that is a bad idea.
"White" vs "black" hats refer to the old cowboy movie custom where the "good guys" always (or at least frequently) wore light-colored cowboy hats, and the "bad guys" would wear dark-colored hats. A white-hat hacker is using the tools of hacking but with the goal of closing any weakness they find rather than exploiting it.