If someone comes forward with legitimate good security vulnerabilities and you don’t pay out, you’re massively encouraging them to go to shady brokers next time.