Maybe mainly to avoid legal trouble? Even if you “know” the answer from the vendor will be that it’s EOL, notifying them of your findings and giving them time to fix it shows that you have good intentions. That they then do choose to do nothing about it, well that’s not your fault.

Additionally, it helps you avoid the situation where you thought the device was EOL because there hadn’t been any updates for a long time but then it turns out that they actually do still respond to, and fix, security issues. And it just happened that there hadn’t been updates for a long while because no one had reported anything for a while.

Depending on vulnerability impact and difficulty fixing it, some vendors may choose to release a fix even after EOL. Generally EOL means that users should not rely on getting an update (but it still may be released as an exception).

Or the vendor might want to warn users about the vulnerability. It is a different story to stay “there might be vulnerabilities, consider updating to some other gizmo” vs “there is a vulnerability, you have to abandon the gizmo”.

The vulnerabilities might still exist in current products even if discovered in an EOL product.

That's a very fair point.

I think the point is to embarrass vendors into extending their support periods. Giving them 60 days to think about that is a shot across the bow.

Sometimes an EOL is ignored if it's serious enough - https://msrc.microsoft.com/blog/2017/05/customer-guidance-fo...

An attempt to avoid unnecessary harm, I'd guess.

To see what they do?

Because it will be more damning if they ignore something significant they had explained to them?