[donmcronald]

> I don't know if this is strictly legal either, but definitely more plausible deniability.

Presumably you're into the system by the time you've discovered the exploit, so you're on the wrong side of the CFAA in the US and IMO the law would come down on you _hard_ if you acted in bad faith like that.

Even failing to report it might ruffle enough feathers for the company to use their political connections to have you prosecuted. I suspect that's also part of the reason the bounties are so low.