Common practice for severe security bugs to 'vanish' to a developer only section of the bug tracker, though not notifying the poster privately is stupid and far too common. Happened to me before.
Unlikely they just deleted the ticket, more likely to languish at the bottom of the bug queue for years if they didn't see it, so both versions of events are perfectly plausible.
Banning the account was over the top when he did something innocuous for a bug which could be used for many nefarious purposes, irrespective of EULA crap.