The bounty existed for the right reason. It worked as intented to me but the structure was meant to fail. It really turns a filtering problem into the loss of an invaluable security channel.
Relying on goodwill toward the project is not enough. If disclosure to the project is not rewarded, the incentive will shift toward exploit or competing against adversarial bounty programs that will.
Just port the program to HackerOne, Immunefi, HackenProof seriously to solve this triage flaw …