My understanding is this is the standard SOP for security vulnerabilities: 1. Report the security vulnerabilities to the “victim” 2. Work with the “victim” the schedule for mitigation and publication 3. Publicize the vulnerabilities (the security researcher wants his findings to be publicly recognized)

If the victim does not acknowledge this issue it is impossible to execute step 2. So then the security researcher goes to step 3.

If the hacker has the emails sent at step 1 he will be fine.

OP leaked internal business documents as part of their disclosure that had no business being in a disclosure. It looks like minor employee details have been leaked as well, which is very bad.