Or, more likely, he never contacted anyone (he says he never got a response) and should have made another effort to contact them maybe by directly calling. I wouldn't be surprised if he just used some webmaster email address on the site that gets checked once in a blue moon or his email got caught in a spam filter. Either way, to escalate it by going to the press was a bit of a rash jump to make.
I agree that them responding by having him arrested was a petty act that showed more petulance than professionalism.
As a developer myself I understand the inertia fixing security holes could face, especially if they subcontracted all of it out and that would mean asking for bids, spending $, etc. That is no excuse though for just ignoring it. There is also little excuse for allowing a public facing DB to have SQL injection holes like this in this day and age. The proper coding standards for dealing with this should've been followed from the start.