I agree, this was probably a bad example because involvement seems a bit of a stretch (although posting on a known black hat forum might change some variables).
What if you had only told your friend of the particular vulnerability and he used that information to write an exploit?
Writing an exploit is also not illegal. Using the exploit is a problem.
If you tell your friend about a vulnerability, and he writes an exploit and then uses it to break into a retail chain and steal credit card numbers, then you have a problem. Not because finding the vulnerability is illegal, but because there is now a chain of evidence that might link you to something that is unambiguously illegal.
You won't be held liable for unwittingly enabling the crime; you'll be accused of sharing the vulnerability with the express purpose of enabling the crime (actually, maybe, technically, with the purpose of enabling any crime; conspiracy laws get weird). That intent will be something that needs to be proved in court.
That liability is still a stretch, doubly so if, the moment you find out that your friend is doing something crazy, you inform the authorities.
What if you had only told your friend of the particular vulnerability and he used that information to write an exploit?