Is he a government employee? Do "the authorities" pay his salary? Does he have a contractual, paid arrangement with the authorities?
If the answers to the above are all "no", then no his job is not to "go to the authorities".
His business model seems to be to find vulnerabilities, and then offer to sell the details of the vulnerabilities to the relevant manufacturers so they can fix them. Part of that business model is to make sure that the manufacturers want to buy his data.
“a security intelligence firm that identifies risks before theyre exploited”
I guess he just exploits them himself by going to the media
“provide comprehensive assessment and consulting services to protect corporations, government and non-profit organizations.”
How is what he did protecting the gov’t? I you don’t like the word ‘job’, fine...it’s his obligation.