Re: Or....
Better than the other way of exposing their incompetence* which is to have all their customer details stolen or their website brought down. I know which I'd prefer.
*Incompetence is a little harsh, I suggest. All software of any size has bugs and vulnerabilities, doesn't matter who you are or how good your programmers are - nearly all are human after all. I would suggest that the security teams for many companies would have a say over bug bounty programs and these very teams are the ones who don't wan't to attract large scale attacks on their systems by researchers which may or may not decide to claim a bounty via the official route if they find something significant.
Biting the hand that feeds IT
