So chuck him a C note and move on. I don't think it's worth the bad PR to quibble over what is clearly a security bug no matter how minor. HTML injection is sort of like the bike shed of security vulnerabilities, every web developer understands it, so you'll get a perverse amount of attention and discussion on it.
In essence, we have a reward structure that we think is internally consistent, attracts the right sorts of research, and makes an optimal use of our resources - and we try to apply it fairly.
Here, we handled the communications poorly, and I think it's OK to call us out on that. In fact, I think it would be wrong to offer a reward in hopes of buying silence from the reporter :-)
I don't think that giving me some money would have refrained me from writing this blog post. The main issue here is that it was not recognized as security sensitive, and would most likely not be fixed if I didn't insist on it.
