Honestly, for a severe finding like this in their product I think they should have:

a) Paid out a bonus anyways for the finding (bug bounties do this often, certainly we did at Dropbox)

b) Made this scoping issue more explicit somewhere