My guess, and it is absolutely only a guess, is that the legal team drawing up the agreement were not versed in writing up agreements like this. As the author said, at one point they included language so vague that it would make participation by anyone in the program at all forbidden. I do not believe that they actually had that intent.
My guess is that once they got this report and the others they received after opening the bounty program, they shit their pants a little. They did not expect 'oh hey, literally every single segment of your system could be taken over by a malicious party right now and you are probably hemorrhaging data that will lose you clients, destroy your reputation, and maybe even get your company into very severe legal trouble.' They realized, also, that this program was not going to be a matter of an obscure $100 or $1000 bug being reported every 6 months or so. They realized that their entire empire was built on sand. Particularly unstable sand at that, prone to explode at any moment. So for a month they had meetings where they kept out absolutely any person with any technical knowledge whatsoever - those people are just the ones that build everything that enables the company to exist or conduct business, they don't know anything that matters. And in those meetings, they formed a plan:
Step 1: Get out of paying the initial bounties.
Step 2: Fix the initial bugs reported, crediting as they have previously their internal team and 'external researchers', giving no hint of who or which things were found by internal folks as opposed to external researchers, etc.
Step 3: Significantly modify the bug bounty program terms to either radically reduce the amount of money awarded or else change who gets to decide 'severity' so that the maximum bounty is never awarded again.
I imagine they see this as several problems. Losing face and looking exactly as competent as they are is a big one, signified by how they have handled prior bug reports and fixed and also how they responded throughout this process. Losing money, although it is objectively and by all reason a microscopic sum of money to "lose" (I can not imagine for a heartbeat that they see this as the ridiculously lucrative investment it actually is), with little to no ability to predict the eventual overall magnitude of the loss. Are they going to have $30k findings every year? Month? Week? DAY? They likely see their infrastructure as swiss cheese and their technical team as incompetent right now. Since they are 'business people' and do not sully themselves with technical knowledge, their imagination gets to run wild. The idea of one bad person destroying their company in an afternoon is something hypothetical and far away, so it doesn't even enter their mind. They see only the truck that is bearing down upon them right now and bleeding $3 million on this program in the first year alone probably doesn't seem out of the realm of possibility. They also desperately need no one to ever find out about this. Those .gov customers? They get wind of this and they are smoke. They will never be seen again and are probably a large part of the future roadmap of the company. This is an extinction-level event.
I hope my guess is very off-base and totally wrong. If it's not... I'd be surprised if its more than 30 days before we are hearing about the author being brought up on as many charges as their legal team can find.
My guess is that once they got this report and the others they received after opening the bounty program, they shit their pants a little. They did not expect 'oh hey, literally every single segment of your system could be taken over by a malicious party right now and you are probably hemorrhaging data that will lose you clients, destroy your reputation, and maybe even get your company into very severe legal trouble.' They realized, also, that this program was not going to be a matter of an obscure $100 or $1000 bug being reported every 6 months or so. They realized that their entire empire was built on sand. Particularly unstable sand at that, prone to explode at any moment. So for a month they had meetings where they kept out absolutely any person with any technical knowledge whatsoever - those people are just the ones that build everything that enables the company to exist or conduct business, they don't know anything that matters. And in those meetings, they formed a plan:
Step 1: Get out of paying the initial bounties. Step 2: Fix the initial bugs reported, crediting as they have previously their internal team and 'external researchers', giving no hint of who or which things were found by internal folks as opposed to external researchers, etc. Step 3: Significantly modify the bug bounty program terms to either radically reduce the amount of money awarded or else change who gets to decide 'severity' so that the maximum bounty is never awarded again.
I imagine they see this as several problems. Losing face and looking exactly as competent as they are is a big one, signified by how they have handled prior bug reports and fixed and also how they responded throughout this process. Losing money, although it is objectively and by all reason a microscopic sum of money to "lose" (I can not imagine for a heartbeat that they see this as the ridiculously lucrative investment it actually is), with little to no ability to predict the eventual overall magnitude of the loss. Are they going to have $30k findings every year? Month? Week? DAY? They likely see their infrastructure as swiss cheese and their technical team as incompetent right now. Since they are 'business people' and do not sully themselves with technical knowledge, their imagination gets to run wild. The idea of one bad person destroying their company in an afternoon is something hypothetical and far away, so it doesn't even enter their mind. They see only the truck that is bearing down upon them right now and bleeding $3 million on this program in the first year alone probably doesn't seem out of the realm of possibility. They also desperately need no one to ever find out about this. Those .gov customers? They get wind of this and they are smoke. They will never be seen again and are probably a large part of the future roadmap of the company. This is an extinction-level event.
I hope my guess is very off-base and totally wrong. If it's not... I'd be surprised if its more than 30 days before we are hearing about the author being brought up on as many charges as their legal team can find.