It's not like they got him on some legalistic technicality. The bug bounty clearly doesn't cover the bug he reported.
And I don't usually go looking for them, but if I come across a security problem (e.g. someone left login credentials unsecured in bitbucket) I would let them know because it's the right thing to do, not because I expect cash.
It's not a technicality, but you're just saying "well, that's the policy" without considering whether the policy is the best way to accomplish certain goals. That's the point.
