Yeah, Firebase makes this much more of a gray area than a SQL database would, where you'd know instantly as soon as you issued an INSERT or an UPDATE that you were doing something unauthorized. The writeup is solid, you seem like you took most of the normal precautions a professional team would. The story has the right ending!

Did you check with the target before you "checked whether we could set `isAdmin` to `true` on our existing accounts?"

If you did not get consent from a subject, you are not a researcher. If you see a door and check to see if it is unlocked without its owner authorizing you to do so, you are on the ethical side of burglary even if you didn't burgle.

Helpfully the "technical writeup" post links to "industry best practices" [0] which include:

If you are carrying out testing under a bug bounty or similar program, the organisation may have established safe harbor policies, that allow you to legally carry out testing, as long as you stay within the scope and rules of their program. Make sure that you read the scope carefully - stepping outside of the scope and rules may be a criminal offence.

The ethically poor behavior of Fizz doesn't mitigate your own.

0. https://cheatsheetseries.owasp.org/cheatsheets/Vulnerability...

With further context that seems much more reasonable then it did at first glance.