You're completely out of it. Telling a teacher is the SAME thing as telling the IT department. Had he just shown this off to friends, I could see you point. But here? No, you're wrong.
I work for a HUGE company. We work on single servers and databases that cost more than the building the OPs school and everything in it is worth. I assure you, if someone in house - employee/visitor/janitorial-services/whatever - finds an issue, they are endlessly praised for bringing it up. One mistake could be a billion dollar nightmare. You know those stories about a big company losing a laptop and releasing some customer data? Hah, yeah right, we got hacked and we're saving face because people are less worried about jacked laptops than a hack/breach. Actually losing a laptop is immediate termination on the spot here. No one ever gets fired after these "stories", that's awfully convenient. It would have been 10x nicer if someone caught this before anyone outside even knew about our issue.
Security is quite frankly THE most important thing for us, and it should be for everyone else. You're upset a student saw "confidential" information about a school? That's cute. The day we I walk in and all our client/patient data has been taken I might as well just turn around and go home - that's game-over.
I'm not saying what the OP is doing is worthless and irrelevant, I'm just saying proper handling of breaches is a necessity at any level of IT. If you don't take it seriously and handle it properly, you're going to get burned. You don't want ANYONE fearing mentioning a possible hole for fear of punishment. If you feel the kid didn't handle the knowledge properly at first, simply add a professional sounding "Next time you find another hole, let me know as soon as you can, I really like being able to have you help us out on this as early as possible."
You have the opportunity to just ask the kid what he did, and move on knowing the solution. It might be an eye-opening discussion with this kid that makes you have a completely new view on a certain attack vector and how things like these could be more easily detected earlier.
Don't fall into "You do not praise a minor for bypassing protocols and taking matters into their own hands when it is clearly not their job nor their business" type thinking. You'll be replaced by someone more open minded and willing to do it for 10% less in the IT world. For all you know, your replacement is the kid you're trying to suppress.