That's because it's not a vulnerability per se. They found a way to use `rm` as a gadget for their privilege escalation.
replyThe core problem is that there's a world-writable directory that is processed by a program running as root.
It's a race condition that can be used as a primitive to achieve privilege escalation which makes it legitimate but even if it you couldn't use it for anything else but to trick the system into acting on a directory it didn't meant to it would still be a valid vulnerability (regardless of the application).
replyClaiming it's not a valid bug would be similar to claiming an infoleak isn't as well when it's one of the building blocks of modern exploitation.
I'm not trying to be an ass, I'm just trying to add a bit of context to ensure that the implication is well understood.