[jamies888888]

It's actually quite heart-breaking to see the extent gone to to reveal the bug, and then to disclose it in full, for zero reward.

Whether or not a bug bounty programme exists at a company, if a bug this severe comes through the door, it should warrant a reward.

[retox]

The next bug found will be sold on the blackmarket. False economy.

[nbevans]

Presumably any reward would need to be approved by an executive other than just the IT director since clearly they have no policy in place. The IT director would not want his department's incompetence to be known higher up the board.

As an aside, the OP claims it took 12 days to resolve but it is possible they took more immediate action by disabling the mobile app's ability to do transfers until they had resolved all the issues.

[0x424242]

It took 12 days for them to reply back saying that "They're working on a fix". The fix was not out at least until Late December/Early Jan. And they did not block fund transfers during the intermediate period either.

[oxide]

ah, the benefit of the doubt.

I used to give that out like candy, too.