I'm sure they might encourage him to interview, but he's not going to get a serious job offer just from this. There's essentially nothing technical or skillful going on here, other than the basic coding ability to do HTTP requests in a loop and the hunch to investigate if subdomains don't rate limit.
He was resourceful enough to find a security flaw of the highest severity in the only product of a $300 billion dollar company. A hole that was somehow missed by said company's own security auditors, who collectively are probably paid many millions of dollars per year entirely to look for such holes. So that's something.
But you're right, he might have just got lucky. The one fish in a school of 100,000 who finds the hole in the net probably isn't smarter than all the other fish. But that just strengthens the argument that companies should reward very generously for these exploits, because increasing the number of white-hats looking for them is a good way to ensure that they get found by one.
Over 20k in bounties in the last year listed, this 15k bounty, and multiple unlisted amounts from Yahoo. I don't think he cares about a job offer from FB too much.
Really? For brute forcing an un-rate-limited endpoint? I doubt it.