You do whatever you want. You weren't paid to find this issue with the cameras. If you're relying on the behavior, disclosing it will almost certainly get the bug killed. People hold back more serious vulnerabilities than this all the time.
If your values include maximizing the number of people who can tinker with their cameras, publish (make sure you're not falling afoul of the camera's license before you do).
If your values include doing whatever you can to keep the most people safe, then inform the camera vendor, and give them 60 days to come up with a patch or a response before you publish.
Just out of curiosity, is 60 days a sort of undefined (or defined, I don't know) "standard" for disclosure? Not the first time I've seen that duration in reference to a bug like this.
If your values include maximizing the number of people who can tinker with their cameras, publish (make sure you're not falling afoul of the camera's license before you do).
If your values include doing whatever you can to keep the most people safe, then inform the camera vendor, and give them 60 days to come up with a patch or a response before you publish.