What I see is a new hacker trying to prove himself, and doing the right thing by not exploiting what he found.
He did exploit the vulnerability by creating the PoC popup.
There is not much more you can do with a reflected XSS on such a site. That's basically it.
Warning to future ethical hackers: Do not contact OG about vulnerabilities - he will accuse you of a crime.
An ethical hacker would not start to pentest a site/server without the permission of the owner and hoster.
It's more of a script kiddy move. And a pretty dumb one.