Yes you're right, my description of the scenario wasn't quite accurate. Personally I don't think this scenario is unethical (beyond your responsibility to disclose potentially being to the company's users, not the company itself, meaning withholding the vulnerability might be ethically dubious) but as I understand (IANAL) it is illegal. But the law doesn't always map well onto ethics.