[jdbernard]

No, I'm not going to agree. From Shubham's post it looks like they were already planning to expand the scope of their program in response to his findings. This is from their email to him on Nov. 4, a full month before his blog post:

First of all, we're still very thankful for pointing this issue out. The credentials you found were real threat. I agree when you write it was easy to exploit.

[...]

When we created the terms and conditions, we tried hard to add every web app which we have impact on, and where a reported issue is a value for us. At that time we weren't thinking of leaked password or such. In the past we turned down the bounty request of people finding issues in out-of-scope services. We had a lot internal discussions about your request: if we were about to pay, we couldn't justify our out-of-scope decisions for anyone else.

It seems reasonable from that email to assume they were discussing this incident seriously and thinking about how this would affect future bug bounties. I am willing to give them the benefit of the doubt unless you have a strong reason otherwise. When the matter was private between them and Shubham they issued a private apology and explanation. Now that Shubham has made the issue public they have issued a public apology and explanation. This is an appropriate response, not just a PR move.