The "then" isn't temporally proximal. The quoted e-mails (unless you feel like asserting that they're fake, which I think is the next step in your arguments in this thread) demonstrate that he's trying to work within the unwritten rules of the program and asking for clarification in good faith. Then after that, rather than attempting any communication with his, Stamos threatens his employment.
I agree with you that something seems off, but you're happily giving all the charity to FB and none to this guy, which is your prerogative but hardly makes for good conversation.
Not really, no. Your should not have had is still presupposing a set of bug-bounty-hunter-professional-guidelines that don't actually exist unless they're specified in the program guidelines, and from a philosophical perspective the actual security vulnerability under discussion now is that their sec team is so lackluster that they can't or won't change out a credential set known to have been externally accessible (and, the critical point, to anyone who could have found this not-particularly-obscure vuln, not just this researcher).
That is NOT what happened. Look at the timeline again.
* He popped the server.
* He submitted the RCE.
* He submitted dumped file from the compromise as a finding.
* They fixed the RCE.
* They told him not to dump files.
* They paid out the RCE finding.
* A month later, they declined to pay out on the dumped file.
* In response, he submits a new finding, with AWS creds that he stored for more than a month after they shut down the server
* (Whatever else happens that day)
* Stamos calls Synack.