Comment by codetrotter

Maybe mainly to avoid legal trouble? Even if you “know” the answer from the vendor will be that it’s EOL, notifying them of your findings and giving them time to fix it shows that you have good intentions. That they then do choose to do nothing about it, well that’s not your fault.

Additionally, it helps you avoid the situation where you thought the device was EOL because there hadn’t been any updates for a long time but then it turns out that they actually do still respond to, and fix, security issues. And it just happened that there hadn’t been updates for a long while because no one had reported anything for a while.