He could have made test accounts with appropriate privacy settings. He could have just told the security team, "Your server does not validate permissions when posting to walls, so if you change this specific HTML form value to anyone else's profile ID, it will post to their wall."
It's pretty freaking obvious there was a language barrier problem here. He knew of the whitehat program, but not the ability within it to create test accounts: he asks the security team to set up a test account so he can post to it to show them the problem.