If he had reported the keys along with the original submission, I think it's safe to assume they probably would have rewarded him handsomely.
Instead, he sat on the keys for over a month, and in the meantime used them to download everything he could find onto his personal computer. Simply testing that the keys were live and disclosing this immediately would have been more than enough proof of a bug here.
Edit: downvoters - please explain how using keys to access production systems for over a month without disclosing is acceptable white-hat behavior?
Instead, he sat on the keys for over a month, and in the meantime used them to download everything he could find onto his personal computer. Simply testing that the keys were live and disclosing this immediately would have been more than enough proof of a bug here.
Edit: downvoters - please explain how using keys to access production systems for over a month without disclosing is acceptable white-hat behavior?