If he is going to use the white hat label, which he does, then he does in fact have that duty. If he chooses to hide the vulnerability or sell the knowledge and/or exploit to another party, that's his choice of course, but then he cannot use the white hat label.
The 4.5K is representative of how much they care about customer privacy. That's what, I think, his only point is.
I understand that's the point he's trying to make, but I respectfully disagree since as previously stated I view the reward as a gesture of good will and not as a payment for services rendered.
Responsible disclosure isn't a requirement for white-hat status, white-hat status just means you don't do any harm. Full disclosure can also be white-hat as can sitting on the bug.
This definition falls short. For example, the hacker who spends time searching for a vulnerability with the intent to do harm, but fails to find one. The hacker has done no harm, therefore by your definition he or she is a white hat despite the fact that they would do harm given the opportunity. For that reason, a person's motivations need to be taken into account in order to provide a proper assessment.
If he is going to use the white hat label, which he does, then he does in fact have that duty. If he chooses to hide the vulnerability or sell the knowledge and/or exploit to another party, that's his choice of course, but then he cannot use the white hat label.
The 4.5K is representative of how much they care about customer privacy. That's what, I think, his only point is.
I understand that's the point he's trying to make, but I respectfully disagree since as previously stated I view the reward as a gesture of good will and not as a payment for services rendered.