While I agree that the websites response and the response of many organizations is overly harsh and draconian in situations like these, if the teen in the story did use SQLi to exfiltrate 500 records then he crossed the line. He should have just shown that the vuln existed without pulling customer data. If the organization pushed back and said it didn't see a problem, then he could offer to write a proof of concept to pull that data, but to just go from discovery to pulling credit card data is a bad move on his part.