As author of GeSHi I can confirm this is basically how things played out. I sent Secunia a very irate e-mail asking them basically WTF they were smoking, and as far as I can tell they didn't publish a vulnerability for it.
They've tried on other projects I've been on, such as Mahara. They went trolling through the changelogs of old releases for the word 'security', and hit a git commit that fixed security being too tight on something - and sent an automated email saying they wanted more information about the vulnerability so they could put it in their database! They got another irate e-mail about that one.
Secunia, in my experience, are scum looking to justify their existence rather than actually help.