> but demonstrating a reliable way to exploit them

Is this a requirement for most bug bounty programs? Particularly the “reliable” bit?