I'd disagree here, how would he know there was a bug to report if he didn't do it once ?
Besides this has been used for decades by corps to prosecute vulnerability reporters, see Serge Humpich who discovered a huge vulnerabilty in bank cards back in 1997. He reported to european bank card Economic Interest Group (EIG) with the support of a lawyer who said they would not believe him until he proved it practically. So he went an bought metro tickets that he did not use but sent them with every details of the transaction. The EIG then got him arrested, prosecuted and sentenced for bank fraud and falsifying a bank card. The fun part is that this got publicized and it was not long before bad guys found the vulnerability too and started issuing yescards (bank card that say yes to any withdrawal from an ATM) and it cost them many tens of billions of euros over a few years due to fraud and upgrading their security and hardware in a hurry.
He could have used the same value in the hacking as the original one or even adding 1 unit to the original price. This does not cause anybody any damages and it is much easier to defend it at the court while still illegal. If there is no bug bounty program and you do not have a contract to perform such activities than it is not a good idea to engage in such activities.
Besides this has been used for decades by corps to prosecute vulnerability reporters, see Serge Humpich who discovered a huge vulnerabilty in bank cards back in 1997. He reported to european bank card Economic Interest Group (EIG) with the support of a lawyer who said they would not believe him until he proved it practically. So he went an bought metro tickets that he did not use but sent them with every details of the transaction. The EIG then got him arrested, prosecuted and sentenced for bank fraud and falsifying a bank card. The fun part is that this got publicized and it was not long before bad guys found the vulnerability too and started issuing yescards (bank card that say yes to any withdrawal from an ATM) and it cost them many tens of billions of euros over a few years due to fraud and upgrading their security and hardware in a hurry.