He is very, very unlikely to be sued provided that (i) he didn't explicitly agree to a contract forbidding security research when he acquired the application, (ii) he acquired the application lawfully, (iii) he at no point solicited business from the vendor of the application, (iv) he didn't exploit the vulnerability in any way that could be construed as having caused direct damages to the vendor, and (v) he is scrupulously honest and careful about how he writes the finding up.

Contrary to popular opinion on HN, finding vulnerabilities in software you yourself run on your own computer is rarely fraught. We hear about the exceptions in the news because they're exceptional. In reality, people publish vulnerabilities all the time.

The same thing obviously CANNOT BE SAID about finding vulnerabilities in other people's web applications. Finding web vulnerabilities without permission is highly fraught. You can easily find yourself both civilly and criminally liable for doing so.

I would adjust "other people's web applications" to be "in other people's deployments."

For example, it is fine to take someone else's commercial web app, install it on your own server, and beat it up.

That is a good point, thanks for amending.