In most bug bounty programs I've seen (including Apple's and Facebook's) payouts are contingent on not publishing the research without consent.