There are cases where vulnerable code is found, but it may take weeks of tinkering to actually build an exploit that gets arbitrary RCE.
An example could be a buffer overflow that only allows a few bytes to be written. At first, you're likely just causing segmentation faults. DEP and ASLR will make writing an exploit that gives RCE difficult. This is when an attacker "may" be able to do something, if there's an attacker determined enough to figure out a full exploit.
The original researcher might not be interested in spending that time and just wants the vendor to fix it.
There are cases where vulnerable code is found, but it may take weeks of tinkering to actually build an exploit that gets arbitrary RCE.
An example could be a buffer overflow that only allows a few bytes to be written. At first, you're likely just causing segmentation faults. DEP and ASLR will make writing an exploit that gives RCE difficult. This is when an attacker "may" be able to do something, if there's an attacker determined enough to figure out a full exploit.
The original researcher might not be interested in spending that time and just wants the vendor to fix it.