I think it's ridiculous, I've reported similar "out of scope" bugs and got no bounty for them.
Even worse are the companies that DON'T state any kind of bug bounty or instructions to report a security bug...
I found a data leak issue in one of the web properties of an S&P 500 company last week and I'm not sure if I should report it, because I feel that if misunderstood it could have negative consequences for me; and not having a security contact means I can't be sure the person I'm talking to understands my motives.
Sorry, I have some problems with this attitude of expecting a reward for each and every action that benefits other human beings. Whatever happened to altruism?
I don't think you understand, it's not about a reward; it's about having a clearly defined process to report security bugs that is inclusive of every kind of bug.
If you don't have that, people don't know if they are breaking the law by sending you a bug report, and they might not report the issues.
Most of the time, the bounty is not going to pay for my time anyway; I just do it for the fun of it, but it definitely says "security issues are welcome"
Even worse are the companies that DON'T state any kind of bug bounty or instructions to report a security bug...
I found a data leak issue in one of the web properties of an S&P 500 company last week and I'm not sure if I should report it, because I feel that if misunderstood it could have negative consequences for me; and not having a security contact means I can't be sure the person I'm talking to understands my motives.