Unlikely. If a company does not have a formal BBP, they won't pay 99.99% of the time. Brokers are also not interested in vulnerabilities in companies. They usually only buy vulnerabilities for standard software (components).
Again, there really isn't a big market for such vulnerabilities. No 0day broker will buy the vulnerabilities listed in the article. They might be able to sell to an initial access broker, but even there rhe kinds of vulnerabilites are not really interesting to them.
If that’s the case, then why do companies run bug bounties?
I’m asking earnestly; it seems like if nobody actually cares about these gaps then there shouldn’t be an economic driver to find them, and yet (in many companies, but not Burger King) there is.
Is it all just cargo culting or are there cases where company vulnerabilities would be worth something?
Oh no. They do get exploited. Just not bought. Buying vulnerabilities is by itself time intensive, complex work. grey market escrow, finding trusted sellers and buyers, etc. So buying and selling bulnerabilities only really happens for really impactful und generally useful ones.
