It's not wrong to ask for features in open-source projects. Preferably in a gentle and well-educated manner.
Of course, the people maintaining it are under no obligation to fulfill that. Quite often, you might find that they don't implement it right away, but it stays there, awaiting someone motivated enough to do it (this could range from yourself coding it to someone being paid to code that).
And also, there are cases where a request will be outright rejected. not just the cases where the issue is invalid (such as reporting that something is missing that is actually available) but there are also cases when people request Very Bad Ideas™.
Even if providing a patch (which would really speed things up), it's possible that it can be rejected, on the basis on the idea itself, or the way it is being (mis)implemented. Still, Opensource allows you to use such patched version for yourself. In some projects it is common to have highly patched versions, which are kept in-sync across updates (e.g. mutt). Sometimes this can end up in creating your own fork with the feature you want.
Now, let's take a look at the problematic https://github.com/echojs/echojs/issues/12
It is phrased in a somewhat bitter tone, but it could be a useful report. Up until when you post the code to exploit it. I'm not saying full disclosure is always wrong, that's a big debate. However, by doing this you are clearly not making friends with the developers.
As others mentioned, this should have been preferable to send privately to the developers (through a mail to a designated security email address, directly to them, a restricted issue…).
In this case, I wouldn't consider a big problem publishing in public the description itself of the vulnerability, the implications of "there is no captcha stopping spam accounts" are obvious (and it was probably already in their roadmap). But publishing the code in an open issue tracker in the first interaction comes as rude. Just saying instead "I have a 16-line proof of concept I can provide you" would have been much nicer.
Now, some communities would like that a security issue was told completely in the open. You could do that with Linux with the blessings of Linus himself, although in practice issues found generally go through security (and there are strict limits on embargo times on linux-distros, for instance).
You could have been told, "please share your code" or "I cannot reproduce your claim, could you give us more details". And that would have been a completely different scenario.
And then, there is the big issue that you had been exploiting the vulnerability before reporting (or so they think). In a completely unwarranted way and without authorization.
It's true that from time to time, someone reports a vulnerability and, after being ignored or told it's not a vulnerability, they exploit -not without controversy- that "non-vulnerability" to prove their point (examples include Facebook, GitHub…).
However, exploiting a live, production system, without authorization, much further than would be needed to confirm the issue (which shouldn't be tested there, anyway) and telling everybody how to do further harm… It would be delusional to expect them to be happy about that.
Had you needed to first test the vulnerability, you should have prepared a local install, and test it on that laboratory you own. Or, in some cases, there are public test instances which are explicitly designated as allowing vulnerability testing.
And even if you were (wrongly) testing in the production site, absent explicit consent to do otherwise, the proper action would have been to stop any further action once it's confirmed.
(Additionally, do remember that even attempting to attack a site might be illegal on the applicable jurisdiction)
This is akin to you telling a car company they should make their cars bulletproof, since a bullet which came into the hood/bonnet (in an easy way you explicitly detail) makes the motor of the car explode, bursting in flames… through an open letter published in the newspaper… the day after you have been shooting to cars on the city center all day.
Finally, albeit it pales in comparison to the above, I would also like to bring attention to a problem with the attitude you showed. Such as the final phrases
The decision is up to you, whether you want to run such a community, or, shut it down, at least temporarily, fix these problems and run it again.
Saying that it's the duty of users to not spam is just transferring the burden. If you refuse to take action now, it's just bad for all users, People can manipulate votes to favour bad posts without ever getting caught.
or in the replies
I am pretty sure that even without all that exploitation, had I informed you all about this, no one could have cared any less about this issue.
You came angry and confrontational, demanding things from people which don't get even paid for that, after wreaking havoc in the community. That's quite a different scenario than what you asked above. Taking all of that into account, and reading their patient responses, I would consider your issue was extremely well received by them.