For the record, I didn’t bring up a bounty, but I still received payment. It helps that it is a small company, and that the CEO is also a developer. They were so grateful for the discovery that the bounty was freely offered without me asking.

Interestingly, I didn’t have to circumvent any security measures to uncover the vulnerability. They had a page that was leaking api keys - all you had to do was watch the network requests. That’s why I chalk it up to luck and not my prowess in cyber security.

Maybe you should just try being lucky. I found a critical security vulnerability while working on my scraping project. I told them, they paid me and gave me written permission to scrape.