Stories like this are wonderful evidence of the effectiveness of public disclosure of security vulnerabilities, and are always heartwarming to see. Remember, 90-day disclosure windows are just a courtesy.
This is why I consider bug bounty programs problematic, because they've been co-opted from a system to manage responsible disclosure to a system to contain and manage non-disclosure.
Bug bounty programs can be great tools to help reward researchers, secure products and help align new and amateur researchers who may not have ever reported a bug before to standards.
But like all things, they can also be used to keep software insecure, hide issues, and instead buy off researchers.
