If the student wanted to alert the school to security vulnerabilities, he should have met with someone at the school (IT Department probably) BEFORE he did any real hacking and gotten permission to attempt to exploit the system. Heck, they probably could have even set up a few dummy accounts (created like normal) for the student to do his proof of concept hack on. Companies hire security consultants all of the time to try to hack their system, but the difference is that the company hires the consultant for that purpose. I don't doubt that if someone hacked a corporate computer system without being hired first, that the company would be able to get the hacker arrested.
Techdirt has not posted any stories submitted by elangomatt.