It's possible that it is all a work of fiction, but Greg Hoglund is an accomplished security researcher. It's certainly a realistic scenario that Hoglund discovered them himself, or purchased them from someone else if he didn't have time to do the vulndev. That being said, if it is fiction it wouldn't be the first time a contracter mislead the government about competency.

I agree with you, it's not that I'm trying to say the whole thing is a work of fiction, just that things are often (partially) misrepresented. I believe the breadth of the claimed in house and unused code is unusual, but certainly not impossible. There seems to be a lot of people that attempt to sell/broker other peoples code that they aren't in possession of (since IP protections in these cases are non-existent)

Regardless, it seems anon got a SQL dump, root on a web server and a ticket box, and a google apps admin account - these aren't the types of places marketable vulnerabilities are usually kept.

Anon got more than that. Anon got passwords that got reused. I would be shocked if they did not poke around the network more to see where those passwords would go, and (given that passwords were reused where they shouldn't have been) I would not be surprised if there were not some more interesting places that they got into.

Is it not morally wrong as a non-black hat to not inform a company about a vulnerability you've found?

I thought only black hats sat on exploits.