[yuye]

And to add that he tried out the exploit on unknowing participants. It would be better to try this with a friend in-the-know at a separate table. It makes me think he did it more as a practical joke than testing his exploit, especially because he mentioned they were "not-too-intimidating-looking guys".

I'll admit it is a bit funny and the damage caused is tiny(just the price of the food). However, things like this do harm the reputation of bug-bounty hunters.

[lopis]

He could have just tried it on his own table (order on the phone, and then on the laptop through the vulnerability) and avoid having to a) bother others, b) waste food. The result would have been the same.