I've been active in the bug bounty community for almost 7 years now. The problem is that the majority of companies don't act in good faith.

Even when you have something fully exploitable and valid, they will many times find some way to not pay you or lower the severity to pay you very little.

The catch-all excuse is something along the lines: "although this is vulnerable, it doesn't impact the business".

I've gotten this excuse, even when I could prove it was a production server with customer information that I could access.

Sites like Hackerone can help, but in the end, it comes down to the company running the bug bounty program.