They provide e-mail addresses over their regular web interface as well. That's why the e-mail field in the account settings says '(publicly visible!)'. This guy is not outing a dangerous, unknown vulnerability—he's just making it a little bit easier for people to behave like obnoxious asses.
A little while back I got an email from someone using this feature to send out his résumé! Quite an ingenious use I thought, find all X developers near Y and send them a friendly form email customised using other details available from their account (like their name) with your résumé and contact information attached.
I took the basics of this to see what email addresses it really grabs:<p><a href="https://gist.github.com/667651" rel="nofollow">https://gist.github.com/667651</a><p>I don't think it's as bad as the author thinks, given that the GitHub account settings page has "Email (publicly visible!)".