$3500 for having found a risk of that magnitude ?
Risk that MS was entirely responsible for due to shoddy security implementation ?
For shame, Microsoft. He should get ten times that to start with, because if a blackhat had found that out and used it, the damage to your reputation would have been orders of magnitude higher.