There's no point in trusting any company's bug bounty programs any more. They all weasel out of paying. Do what you will with the knowledge you find, just know that you will never be dealt with fairly by the companies.
2-@C-suite, look what y’all wrought saving a penny, pls fix
(btw #1 is my polite way of saying “don’t do it!” - plea as I might, if the thinking gains traction people will sell more 0days anyway, so might as well fix bounty programs now before it’s in the news)
I'm not advocating for any behavior in particular. It could be anything from telling the company, to saying nothing, to doing something evil with it. It's each individual's choice. I just wanted to reiterate it so the folks in the back of the room hear that it is a matter of routine for companies to deny paying out legitimate bug bounties at this point and that should be known to the bug finders when deciding what to do. Whether or not or how it affects or influences their decision is up to them.
2-@C-suite, look what y’all wrought saving a penny, pls fix
(btw #1 is my polite way of saying “don’t do it!” - plea as I might, if the thinking gains traction people will sell more 0days anyway, so might as well fix bounty programs now before it’s in the news)