They posted a link to their blog post down in the comments of the gist…
We also want to address the Bug Bounty program associated with this case. Although the researcher did initially submit the vulnerability through our established process, they violated key ethical principles by directly contacting third parties about their report prior to remediation. This was in violation of bug bounty terms of service, which are industry standard and intended to protect the white hat community while also supporting responsible disclosure. This breach of trust resulted in the forfeiture of their reward, as we maintain strict standards for responsible disclosure.
They failed to mention that the report was closed for being out of scope. Any reasonable person would expect that to mean a remediation was not coming. So really he didn’t give up his bounty because he wasn’t getting one to begin with.
Edit: cause autocorrect is dumb.
Dev is a large financial drain and a ton of companies accounting departments(or whoever) don’t see the value. Ok the IT department is responsible for the website? The website is ‘done’ though so why are we still paying all these IT/Dev people? Cue massive IT layoffs…wall street/investors are super happy.
No new features/bug fixes/security updates. Customers are unhappy(who cares?, they’re still spending money!). Oh…massive data leak from some unpatched security vulnerability. All the sudden IT budget blows up…
The damage to reputation and future business deals are hindered. The amount of promising you’ve identified the problem and mitigated that from happening again etc. The requirements of other companies that you follow xyz audits to do business with them etc(which can be a good thing, it’s just very costly to a business).
Then a handful of years later they forget it all and repeat…
I work in IT/Dev…oof.