Edit: Just noticed the OP claiming:
The requested person was informed before disclosing it here.
End of story.
Not yet !
How was the person OP contacted with? Did he even knew the current owner of the website he is testing on and his contact info ? What is the use of making the vulnerability public ?
I don't think anyone/owner of the any website would just avoid acting on the vulnerability when reported. It's even unacceptable that someone denied to act on it once informed.