I don't think that is a fair assessment of him, even then.

At any case, I hired him fairly recently for a security audit and he worked quickly, and was very effective (he found several important vulnerabilities and reported them in a crystal clear manner). He was also a pleasure to deal with (no bullshit stance, something I find enjoyable).

The 4000 USD for ~20 hours of work were definitely well spent!

There was 2 or 3 cases I regret about. The rest of my work is alright and responsible, no?

He was also very young then I believe, now he's realised he can make a lot of money by acting cool and professional so he does.

I think his behaviour was commendable - he tried many many times to warn, going to multiple people and projects, but they all ignored him - they were too busy being Gem installing Ruby hipster Brogrammers to consider security, and it bit them hard in the backside.

I'm incredibly interested in angling my career towards security and have no real experience.

Wouldn't it also be wise to keep people like him 'out of the loop', I imagine it's much harder to audit when they have access to internal code/architecture that would be difficult for an outsider to stumble-upon?