Not really, no. Your should not have had is still presupposing a set of bug-bounty-hunter-professional-guidelines that don't actually exist unless they're specified in the program guidelines, and from a philosophical perspective the actual security vulnerability under discussion now is that their sec team is so lackluster that they can't or won't change out a credential set known to have been externally accessible (and, the critical point, to anyone who could have found this not-particularly-obscure vuln, not just this researcher).
1. Second finding is declined.
2. New third finding, which includes AWS credentials that this person should not have had, is written and submitted.
3. Stamos calls Synack.
I believe the relative timing of these events is, in fact, established.
Now: stipulate that I'm right, even if you're not sure. Does your opinion of the story change?