It's not a security or economy vulnerability, but i still wanted to loosely follow something like Project Zero's Vulnerability Disclosure Policy from my first email. Though, from this FAQ:
Doesn't disclosing a vulnerability when there's no fix endanger users?Since Project Zero typically discloses only one part of an exploit chain, attackers need to perform substantial additional research and development to complete the exploit and make it reliable. Any attacker with the resources and technical skills to turn a bug report into a reliable exploit chain would usually be able to build a similar exploit chain even if we had never disclosed the bug. They would either have the ability to find and exploit their own 0day vulnerabilities, or have access to a range of other interchangeable bugs (e.g. other fixed/disclosed bugs from the past weeks/months).
There's no "exploit chain" in this case... it's too simple to do and not really technically difficult at all. If I left out how to reproduce it and was more vague in my bug report and post, it'd take more effort for Valve to read while still being nearly as accessible to exploit for those who wanted to.