No one is "honor-bound" to report vulnerabilities; in fact, it seems unethical to expect any random person to try to fix any random problem they stumble upon, don't you think?
My philosophy: it's backwards to look down on those who don't report vulnerabilities; it's better to be pleasantly surprised when someone does.
But he's certainly not "hurting" anyone at all. He didn't disclose any details of the attacks.
Normally these things are incredibly easy to report—sending a quick summary of the problem to a specific email address is all it takes.
(Facebook has a web form for it.)