You realise you're hurting innocent users much more than Facebook itself by not reporting them, right?
No one is "honor-bound" to report vulnerabilities; in fact, it seems unethical to expect any random person to try to fix any random problem they stumble upon, don't you think?
My philosophy: it's backwards to look down on those who don't report vulnerabilities; it's better to be pleasantly surprised when someone does.
But he's certainly not "hurting" anyone at all. He didn't disclose any details of the attacks.
Normally these things are incredibly easy to report—sending a quick summary of the problem to a specific email address is all it takes.
(Facebook has a web form for it.)
It's easier to work for free like this if it is an open source group or a non-profit. It's a bit harder when it's a $100 billion company. If they don't compensate security researchers, let them find their own bugs.