Typically there's a period of responsible disclosure to give the software maintainer an opportunity to fix it before it's widely announced. After that period is up or the fix has been released the vulnerability discoverer is able to announce it and take credit for finding it.
My two cents is I'd say you're a 'manager' if you have the power to hire people, fire them, discipline them, and determine their pay and working conditions.
Generally a "team lead" is just a more senior individual contributor that can help guide other individual contributors. Management may listen more heavily to their opinions on the matters above but they don't have any direct control over it past advisory. Sometimes they may perform some light managerial functions like work allocations but they have no direct power to back that up.
I don't really get the comparison to vagrant. It doesn't seem like it feels the same role? Can distro box be used to share environments with other developers or used in CI/CD processes?
You're making it that much easier for someone to brute force logging in or to exploit a known vulnerability. If you have a separate root password (which you should) an attacker needs to get through two passwords to do anything privileged.
This has been considered an accepted best practice for 20+ years and there's little reason not to do it anyways. You shouldn't be running things as root directly regardless.
Typically there's a period of responsible disclosure to give the software maintainer an opportunity to fix it before it's widely announced. After that period is up or the fix has been released the vulnerability discoverer is able to announce it and take credit for finding it.