Bug bounty programs pay you for the severity of the exploit, not the potential damage you could do with it. The researcher found an unpatched server with a known Ruby RCE and cracked a weak password. Whether he found the server empty or containing nuclear codes isn't what determines the payout.
Storing user data and private keys on your computer after reporting the hack and using them again to access the systems is way beyond the scope of a bug bounty program (and probably criminal).
CDN bug report... Earlier this year we received a report from Selamet Hariyanto who identified a low impact issue in our CDN... a very sophisticated attacker could have escalated to remote code execution. As we always do, we rewarded the researcher based on the maximum possible impact of their report, rather than on the lower-severity issue initially reported to us. It is now our highest bounty — $80,000.
Storing user data and private keys on your computer after reporting the hack and using them again to access the systems is way beyond the scope of a bug bounty program (and probably criminal).