They provide e-mail addresses over their regular web interface as well. That's why the e-mail field in the account settings says '(publicly visible!)'. This guy is not outing a dangerous, unknown vulnerability—he's just making it a little bit easier for people to behave like obnoxious asses.
I've gone in and removed mine. I can't be certain but when I signed up (before it went fully public, I think) I don't remember it saying the e-mail would ever be visible (and I used the same unique e-mail address I use for all my Git work/commits). So it's well worth GitHub users double check what they have in their profile "just in case" they entered it at a time they though it'd be private.
A little while back I got an email from someone using this feature to send out his résumé! Quite an ingenious use I thought, find all X developers near Y and send them a friendly form email customised using other details available from their account (like their name) with your résumé and contact information attached.
