It is indeed a very risky move without a lot to gain for him personally. But I could guess McDonald’s would have forced him to ignore it and shut up about it if he disclosed this to the higher ups himself, in which case I would have gladly left myself instead.
I mean, they were an employee who was exploring security vulnerabilities with a non-employee who has a blog. I would have fired them too.
It is indeed a very risky move without a lot to gain for him personally. But I could guess McDonald’s would have forced him to ignore it and shut up about it if he disclosed this to the higher ups himself, in which case I would have gladly left myself instead.