has to be fake news.
If you find vulnerabilities, you save their use until you need them otherwise you are merely making your potential adversary more secure.
This is tantamount to an act of war. There is no need to “prove” cyberwarfare capabilities.
When the NSA/CIA spied on journalists, they didn’t tell them. They still deny. When the NSA/CIA monitors your communications, do you think they announce it to you? Why not?
Same principles apply.
The only exception I can think of is if the "fix" would introduce an even greater vulnerability. And even then that is very iffy.
This reeks of fake news.