That is exploiting the bug. That is literally exploiting the bug. In the same paragraph where you say he did not exploit the bug, you describe the peripherals of his exploit of the bug.
If he was operating responsibly, he would have applied it to a domain he controlled and provided that as a proof of concept. Instead, he ganked twenty thousand domains. That is at best irresponsible and at worst malicious and DigitalOcean (who I am no fan of, for what it's worth) has no obligation to figure out, or even care, which is which before showing him the door.
If he was operating responsibly, he would have applied it to a domain he controlled and provided that as a proof of concept. Instead, he ganked twenty thousand domains. That is at best irresponsible and at worst malicious and DigitalOcean (who I am no fan of, for what it's worth) has no obligation to figure out, or even care, which is which before showing him the door.