Isn't it considered good security-research practice and just "good manners" to notify the company beforehand and give them a chance to fix the problem before going public and pulling stunts like publicly abusing it, making sure they are publicly humiliated with their pants down?

Judging from the article, he did neither - so don't run crying about "that's so rude".