really? what message would paying him send?! if you find 3 vulnerabilities, go ahead and expose 2 of them. ruin our business. no problem. we'll pay you big bucks for the one you didn't release.
and IMHO, why would they? he did them wrong, very wrong. they shouldn't reward him for that. consider it this way. the potential harm of publicly exposing the issue is massive. you seem to be claiming it's a zero. it isn't. it's a negative -1,000,000,000. 30 - 1,000,000,000 is a negative number. he's far from being in the black in the good will department.
the bug bounty program isn't a formal agreement bound by law. it's completely at the discretion of the sponsor company. that means that if they don't like your actions, or just the cut of your jib, they don't *have* to pay you. maybe the CEO saw your dog poop on his lawn. yep, no payment. welcome to life.