I think he means that if we're not holding Prezi ethically responsible to pay the bounty, then we can't then start saying the researcher is ethically bound not to sell the exploit.
Why not sell it? People sell URLs all the time, and bitbucket is clear written intent from the company that they wanted their source control systems accessible to the public else they would not have provided written notice to the world of their passwords.
Surely the creators of the software are competent software experts who fully understood the implications of making their repository public. Surely, they are not asserting that they were so negligent in the performance of their duties as to not check whether the repository would be made public.
Also, they've made numerous written affirmations that the issue found is not a bug, and would not qualify as part of their bug bounty for security flaws.
They are morons and deserve to be hacked because they are negligent and make affirmations that leaving their source control system passwords on public computers is not a security issue worthy of payment. They deem the risk to be so insignificant as to not even be worth $500.
That waives legal responsibility, but I fail to see how it affects ethics/morals. The ethical implications of an action are determined by the community/profession, so if the community agrees that this was unethical, it was.
This is some crazy entitlement culture. If you help someone out, you are not entitled to a reward. If you want a guaranteed reward for your efforts, get a contract first.
Double standards.