The requested person was informed before disclosing it here.
That's not responsible disclosure.
How much time did you give him to fix any vulnerabilities before publicly disclose them?
OP should have atleast notified OgNasty before injecting any scripts.
Is that an objective standard? A hacker's opinion? Or maybe just
mutual respect and consideration?
OP could have done damage if he wanted - or sold the info. He did the moral thing, and there is nothing illegal about it.
Without the approval of the owner of the site and the hoster, it definitely is illegal. Depending on the country, maybe "just" a gray area.
You can't just start doing pentests on any website/service you encounter.