This is assessed based on how hard it was to elevate your access rights (whether it requires physical access, user cooperation, etc.), not on how much damage you can do - because once you elevated your rights the possible damage is unlimited.

Except in that case, he unearthed another completely unrelated vuln.

I agree that some actions are u ethical, but does that really matter so much when a black hat is unethical anyways? The fact that he reported meant he was harbored no malicious intent.

How is collecting logins better than that? Seriously? This is completely malicious if you ask me.

Moreover, we must not judge each case strictly to the same rule, but with a measure of consideration of the circumstances as well.