I submitted this for discussion because of the "Opinion about bug bounties" section at the bottom of the post. It was interesting to read about the wide variety in quality of responses to an open source bug bounty.
There's a wide variety in the quality of responses to bug reports too.
Last year I stumbled across a bug which could result in a leak of personal data (specifically, private messages). So I did the good-samaritan thing and reported it, opening with "I don't want a bug bounty for this" (it was a pretty trivial bug, just a high impact one).
What I got back was a wall-of-text missive about how it wasn't on the OWASP TOP10, wasn't eligible for a bug bounty anyway, and finished with a personal attack. I didn't even reply to it.
I haven't bothered submitting anything else, not on Hackerone, not anywhere.
You should have released the email complete with personal attack and all info needed to reproduce the bug after 90 days. Their incompetence isn't your problem but it is their users problem.
