Any legal basis to challenge this practice ? If a company claims that they pay bug bounties but use flimsy reasons like this to chicken out of seemingly genuine cases like these
I'm guessing no, and even if their was they could make the litigation costs very high.
The sad thing here is what has to happen is the data needs sold off to blackhats to the point that entire countries get pissed and start putting near draconian level regulations and fines against companies like this to get them to stop this insecure bullshit.
