> While his intentions were good, I think it was a bit 
  > naive of him to take upon himself the responsibility to 
  > make sure the flaws were fixed and conduct a test.

Given that his own personal information could have been exposed by this exploit, it's just as likely that he was acting out of self-preservation rather than merely due to feelings of personal responsibility. The only naive bit here is that he obliterated his plausible deniability via 1) not allowing more time between submitting the report and attempting the scan, and 2) not masking his IP behind seven proxies.