He didn't put the bugs there, he only discovered information that already existed. He can't be blamed for hurting anyone.
It's easier to work for free like this if it is an open source group or a non-profit. It's a bit harder when it's a $100 billion company. If they don't compensate security researchers, let them find their own bugs.