[tastroder]

> Would he have not disclosed it if they offered hush money? We won’t know, for his case I hope not. In any case - what was he expecting?

A bog-standard responsible disclosure that any tech CEO should either be familiar with or have someone at hand that is, as is clearly communicated in that e-mail.

Both e-mails are OP reaching out to help this company out, the first fixing the vulnerability, the second giving them a chance for compliance / potential regulatory aspects they might want to follow. It's not on random people reporting security vulnerabilities to tutor random companies on this and both behaviors (non-responsiveness, then hostility) of this CEO, despite being sadly common, are actively harmful if you want to get productive security reports in the future. (And the company unilaterally signing up for bug bounty programs is rather irrelevant for independent researchers as well if they have no interest in participating in those.)