Irrelevant. If he found these bugs, even if he’s been a dick about it then he still found a bunch of vulnerabilities that Uber was exposed to. Pay the man, it’s a few thousand dollars as opposed to a major exploit!
But that's my point. Of course he deserved a payout if he reported a previously unknown vulnerability. What I'm saying is that he (appears to have) behaved in such toxic way (sow) that someone denied something he deserved (reap). All parties in this are squishy humans with emotions.
No one looks good - he doesn't look good for how he behaved/communicationed, Uber doesn't look good for denying the payout on a valid report, and Hackerone doesn't look good for not enforcing a minimum payout on a valid report.
No one looks good - he doesn't look good for how he behaved/communicationed, Uber doesn't look good for denying the payout on a valid report, and Hackerone doesn't look good for not enforcing a minimum payout on a valid report.