That seems very unlikely. As someone in the industry, I haven't heard of commercial businesses doing that, and in fact know of one court case in the Netherlands a handful of years back where someone tried that ("would be a shame if it became public, I could fix if you pay me x") and got sued for extortion (not sure if the phrasing was exceedingly poor but not intended maliciously and the court acquitted, or if they got convicted; there may have been two such cases, one malicious and one not, and I'm mixing them up)

My employer (me included) does similar disclosures to vendors and open source projects. Being paid is never a condition for doing responsible/coordinated disclosure. I can't speak for others but, given the extortion allegation risk, I have trouble imagining this is how it went down

Much more common is being afraid it leaks due to patches landing too early or people talking, and so limiting it to the biggest vendors out there. In this case, I'd say they could definitely have done more coordinated disclosures without risking that...

A very irresponsible business at that.

I suppose they could have just sold it to the highest bidder.

They probably have sold it to several bidders, the legit kind ones that don't warrant a knock from the Homeland and don't pay in Monero.