If this was disclosed via a vulnerability disclosure or bug bounty program and there are no indicators of a data breach then it's effectively like the findings from a pen-test so very likely no regulatory reporting requirements.