[james-redwood]

This is probably why it was not reported for several months, and why selling the records to the highest bidder on the darkweb was so much more lucrative. Companies need to give out less pathetic incentives to security researchers.

[ineedasername]

That depends: it wouldn’t matter how much they pay in bounties if the bounty hunter is double dipping by reporting the bug & also exploiting it for sellable data. Not saying that’s what happened here though.

[smabie]

I mean if you're offering much more money for the bounty than could be earned on the blackmarket the hacker probably won't want to take the risk of double dipping.

[_8j50]

You'd be surprised, risk is worth it.

But, twitter still gets to find out and fix it before even more damage was done. Your dips don't have to be double they can be many.