From the article:
When Al-Khabaz and fellow student Ovidiu Mija reported the problem to the school's director of Information Services and Technology, they were initially congratulated for finding the flaw and were told it would be fixed immediately. But it was Al-Khabaz' next step that landed him in trouble with the school. Two days later, he decided to check to see if the flaw had indeed been fixed, using a site security scanning tool called Acunetix.
"Hey, you gotta security hole. It's right here!"
"That sucks, thanks for telling us. We'll get it fixed immediately."
Now, "immediately" when dealing with a third party vendor's software usually means reporting it at the earliest possible moment (which depends on whether the college had 24/7 support for the software or 8/5, for example) and then staying on them to make sure it gets fixed.
Two days later Al-Khabaz decided to threat scan it again. He didn't call or email and say "Hey, you ready for me to test this again?" or even "Hey, I'm gonna double check this for ya'!" And, we don't know whether he scanned the vulnerability or, as indicated in the article, took advantage of the tool's capability to scan everything.
"Hey, your office was unlocked so I went in and hung out for awhile. You got a lot of stuff about people in there."
"Ok, thanks for letting me know."
"Hey, your office was unlocked again so I went in and hung out some more. You've got a lot of stuff about people in there."
A "martyr" ? -- not so much.
