What the guy did was not only morally irresponsible but also criminal.
The security community has long has an accepted standard of responsible disclosure, which involves informing the vulnerable party beforehand and allowing them time to fix the problem before publicly disclosing it.
Publishing a vulnerability before giving those vulnerable a chance to fix it is irresponsible, using it to compromise a system is criminal. He was getting off light from getting his account suspended, GitHub could push for a criminal prosecution resulting in deportation and serious jail-time for his actions.
It doesn't matter what he did after the compromise (whether it was benevolent or not), the compromise of an account not held by him puts him clearly into the "black-hat" category.
The vulnerability was public, known for years, and no doubt already exploited. Making a splash about it on GitHub, popular as it is with rails hackers, is the best thing that could happen to the security of the rails ecosystem.
The class of vulnerabilities was known but not this particular case. That's like saying people should be publish 0-day buffer overflows because it's a known vulnerability class.
Gain unauthorized access to an account and using it falls under pretty much any standard definition of "black-hat" and in practical terms breaks computer security laws in pretty much all legal jurisdictions which have them.
If you steal a loaf of bread to feed your family it's still a crime.
Regardless of whether or not you think what he did was justified it's still illegal. And there's very few serious crimes for which "publicity stunt" will generally be regarded as a good reason.
The security community has long has an accepted standard of responsible disclosure, which involves informing the vulnerable party beforehand and allowing them time to fix the problem before publicly disclosing it.
Publishing a vulnerability before giving those vulnerable a chance to fix it is irresponsible, using it to compromise a system is criminal. He was getting off light from getting his account suspended, GitHub could push for a criminal prosecution resulting in deportation and serious jail-time for his actions.
It doesn't matter what he did after the compromise (whether it was benevolent or not), the compromise of an account not held by him puts him clearly into the "black-hat" category.