Indeed, discovering this bug wouldn't take any security skill (I imagine it could be harmful since you might skip really dumb stuff like this) and could easily happen by accident. Responsible disclosure is standard for security researchers but I don't think this person was one, and it's not very fair to blame him for not doing it right.

That is not the case among infosec professionals either. Many respected professionals believe that the right thing to do in many cases is full public disclosure. Google Project Zero are a notable example.