According to the expulsion letter (linked somewhere in his thread) he only reported the issue after he was detected and his access was blocked. That doesn't prove either sides version but shows why one should get authorization before attempting such a thing. After getting caught anyone can say that they were just trying to help.

The letter says no such thing. I don't know why you've taken the trouble to post this falsehood twice in a short thread.

http://news.ycombinator.com/item?id=5096170

Ah, so that means he wasn't even really "hacking". But I still think it is weird that the site calls it him "helping".

Basically he did something he shouldn't have/ He Scanned them again after reporting the bug to "see if they had fixed it" (per his claims).

It seems like he had no malicious intent (At least I believe him) but his school and the vendor basically went nuclear on him.