Classic. "Thanks for pointing out this insanely serious issue, which is unfortunately not eligible for our bug bounty program." Maybe they'll send him a free hat.
Embarrassing. People should just sell their zero-days on the black market for BTC until these companies wise up on paying out on "non-qualifying" bugs. Facebook has done this too.
Sorry but if this is not I wonder what is? A remote OpenSSH root exploitation technique or a CSS3 misconfiguration (smiley doesn't display on all browsers), can't believe this.
http://cl.ly/image/2E3D2H2B2d2t