Agreed. Especially considering how easy it would have been to contact them privately and directly.
A 2 second google search for kidspass uk shows a sitelink for their "Contact Us" page, listing both a phone number and email address: https://www.kidspass.co.uk/contact-us
So unless that page was added post-incident, then IMO both Alex and Troy did not do responsible disclosure.
Hopefylly they where give more then a few weeks time to fix it. But by reading the article it seems they where impatient and didn't even wait for the weekend to be over before publicly announcing that the site had a vuln. And he didn't give instructions on how to repeat the "bug" in the DM (Twitter Direct Message).
Considering his follower base there might have been a number of people interested to know what it was, and capable of finding out by themselves. And from the article it seems the tweet did set off a "hacker feast" against the site.
A 2 second google search for kidspass uk shows a sitelink for their "Contact Us" page, listing both a phone number and email address: https://www.kidspass.co.uk/contact-us
So unless that page was added post-incident, then IMO both Alex and Troy did not do responsible disclosure.