He never 'got a lawsuit.' Instead, he got some comments from the contact to whom he reported it that criticized his approach. It's not even clear just who this person was. It seems he had trouble locating a contact to report security issues to, so this may as well have just been a low level support rep who was in over his head and saying things he shouldn't have.
"The hardest part - responsible disclosure. Support guy honestly answered there’s absolutely no way to get in touch with technical department and he’s sorry I feel this way. Emailing InformationSecurityServices@starbucks.com on March 23 was futile (and it only was answered on Apr 29). After trying really hard to find anyone who cares, I managed to get this bug fixed in like 10 days.
Not only did he test it live, but he used the gift card to purchase items. Could have easily walked in and checked the balance without purchasing anything.
To be fair, his purchase was relatively inexpensive, did not significantly disrupt other customers or otherwise compromise the system, and served to test that the balance was actually available, not just displayed.
Just deduct the price of the sandwiches from the bounty reward?