They make their money from getting paid by other companies though, don't they? It's hard for me not to imagine that companies in general will see "testing stuff a day later" as a way to cut costs or not paying out as much for bounties because of claims that no one was actually affected yet