Granted it looks like they had a policy but it's possible that not many people were aware of it. I don't know anyone that reads the lengthy ToS or policy documents of companies they deal with and they didn't seem to give it much promotion until after this incident. He does specifically say bug bounty programme and not the policy so I'm willing to give him that. If a company has a stance they do need to promote it and perhaps have stronger wording than we might not hang you out to dry.