It's not really unrestricted. Given that this is forcing the password reset, you can't silently do it, right? So anyone exploiting it knows there's a limited number of uses before people notice that their passwords are being reset by not them.
True, the restriction is that you only get a guarantee of getting in one time. I meant that there are no restrictions on what you can do once you're in. (E.g. a XSS chat hack or something like that would be restricted in that sense)
I'm sure they might encourage him to interview, but he's not going to get a serious job offer just from this. There's essentially nothing technical or skillful going on here, other than the basic coding ability to do HTTP requests in a loop and the hunch to investigate if subdomains don't rate limit.
He was resourceful enough to find a security flaw of the highest severity in the only product of a $300 billion dollar company. A hole that was somehow missed by said company's own security auditors, who collectively are probably paid many millions of dollars per year entirely to look for such holes. So that's something.
But you're right, he might have just got lucky. The one fish in a school of 100,000 who finds the hole in the net probably isn't smarter than all the other fish. But that just strengthens the argument that companies should reward very generously for these exploits, because increasing the number of white-hats looking for them is a good way to ensure that they get found by one.
Over 20k in bounties in the last year listed, this 15k bounty, and multiple unlisted amounts from Yahoo. I don't think he cares about a job offer from FB too much.
And who knows if this was already exploited in the wild?
$15k is nothing at all compared to the scale of this issue...