The point is that finding a vuln and investigating it to the extent required to prove it works is security researcher behavior. Actually exploiting it and dumping all of a site's user data is malicious. If he had leaked stuff relevant to the capitol riots or something, maybe understandable, though using the vuln to do so would still have been wrong.
FWIW my guess is there probably wouldn't be any downvotes if you just wrote "is a girl/woman".
Personally I don't care about the difference but just mentioning "pronouns" seems to be enough to trigger the downvote reflex - "pronouns" has been abused to create so much drama the last few years that I can kind of see why people react even if I don't do.
