Whether or not a bug bounty programme exists at a company, if a bug this severe comes through the door, it should warrant a reward.
As an aside, the OP claims it took 12 days to resolve but it is possible they took more immediate action by disabling the mobile app's ability to do transfers until they had resolved all the issues.
I used to give that out like candy, too.
On the long run this will be more expensive than the bounty. But the problem might be that if the would pay a bounty, they would admit that the screwed it, what their lawyers would like to prevent.
If a wallet finder failed to give me my wallet back, I'd just call the police.
You gave them a tech analysis that should be worth some money, for free, at the same time (hopefully) bringing to their attention how bounty programs are a helpful thing for everyone. They should be feeling very lucky about it.
However, the thing that worries me with these things is that, what if some "bad guys" already knew about this and exploiting it and now that the bank is aware and might close the hole, makes them angry and looking for retaliation?
Hopefully you are taking precautions to be anonymous, but I know that where I live if I were to pull a stunt like that I would seriously consider watching my back for a while.
Sad world we live in :( so take care OP.
Being in Switzerland definitely helps, but still, India being a very big country it wouldn't surprise me if they had some really-bad-guys(TM) mafias capable of hurting people in other countries.
Of course, a small thing like this wouldn't necessarily pop up in their radars but still...
I guess part of the reason I think this way is because I live in a country where this is a real threat. Where posting things that real-bad-guys(TM) don't like can literally get you tortured and killed.
I see what you did there.
:(
I guess the point still stands as I originally intended it though. Again.. sorry for the confusion. Even though I know my geography reasonably well, my mind brings the word and my mouth or fingers say something else.
The bug bounty isn't only about the money. It's also the company's way of advertising 'we aren't crazy assholes like those outfits you heard about on the news'.
(Yes, fixing the law would be a good idea. But in the meantime, a bug bounty is the solution.)
Not sure if the finder or the business took the cash but I guess they got their own reward. Not what I would do, but I'm glad they didn't take the cash and trash the wallet..
You should always give one. Claiming it's an "insult" to thank someone for going out of their way to do something they didn't have to do (v. doing nothing or throwing the wallet out) sounds like an easy excuse to be cheap.