[girvo]

Ignoring the bounty thing for a second, their email response "we think it was in good faith" seems... Not right to me. Am i reading that weird or did they seem pissed about him finding something like that?

He plugged a huge issue for them, and they screw him over due to "scope"... That's their choice, but it still seems bureaucratic to me.

[rtkwe]

They're talking about viewing the source code and testing the login. The author could have just reported the leaked credentials and not logged on. Testing them especially since it wasn't part of the program falls under potentially extremely malicious.