This is assessed based on how hard it was to elevate your access rights (whether it requires physical access, user cooperation, etc.), not on how much damage you can do - because once you elevated your rights the possible damage is unlimited.
Except in that case, he unearthed another completely unrelated vuln.
I agree that some actions are u ethical, but does that really matter so much when a black hat is unethical anyways? The fact that he reported meant he was harbored no malicious intent.
How is collecting logins better than that? Seriously? This is completely malicious if you ask me.
Moreover, we must not judge each case strictly to the same rule, but with a measure of consideration of the circumstances as well.
As Wes proved, a simple looking RCE can lead to a huge breach of security due to failures in other areas.
I agree that limits must be established, but also, these must not end research so abruptly as they can lead to further information.
One might argue this is unethical, but a black hat doesn't care either way.