To be fair, if a scanning tool running anonymously can muck up your webapp by hitting "GET /article/delete/1" then they did successfully find a problem with your SaaS app.
You're missing the "non-intrusive" point that he was bringing up. While they did find a vulnerability, they went beyond the scope the had agreed to, which is the issue he's describing.