You're right, but it will still get you into legal trouble. Not only may you not get a bounty, but they might sue or press charges for essentially copying and scanning their source code.
Generally "gray hat" and "corporation/law-friendly" don't mix, even if there are some cases that call for it.
From Wikipedia, which agrees with my understanding of the phrase: "… such people sometimes act illegally, though in good will, to identify vulnerabilities in computing processes." My point, though, is that it's hardly out of scope when it's a valuable resource for developing novel attacks on in-scope domains.
Using login in credentials that are not your own found in a public place to take source code is like finding someones house key on a park bench and coping their secret invention designs or trade secrets.
As I read it, he didn't use the credentials to take the source code; he found the credentials in the source code. He used the credentials merely to verify the credentials were valid.
Define "take" source code. Do you mean "read" or "access" source code? I know this is an aside, but I think we as a community need to be more judicious in our use of criminally-accusatory words, especially when it comes to taking/stealing/theft vs copying vs distributing/selling vs reading/watching/accessing. They're all very, very different things.
You read my post in the ~5 secs widow where it had the word "take." It was the wrong word because in the case I was talking about it would not have deprived Prezi access to their source code.
I thought the whole point of gray hat is that it's possibly illegal, but not downright "evil".
i.e. Stealing source code to fix bugs = gray, stealing source code to steal credit card info = black