For 3) what are you not sure about? He demonstrated arbitrary DOM manipulation, and it reads like the XSS worked with some WAF avoidance. Brass tacks do you agree they should have paid out something for this?
I will not say anything about whether he needs to get paid or not until Uber discloses the report. If he showed that it is a valid xss and not a content injection then I guess it would be valid. But again, right now we do not have the report made public.