Exactly. The guy might not have the best English or highest level of maturity, but it's not like he found a flaw and ran around saying, "Haha, look what I can do!" with no justification.

He submitted a security flaw to the Rails issue tracker. It was shut down by committers saying, "This isn't a real flaw, it's everyone's responsibility to secure their own apps."

At that point, a reasonable response is, "Yes it is, you dummies. Watch as I use it to pwn multiple high-profile production rails sites."