Well, we have an official reward program with published criteria, and to a large extent, it's just a matter of reputation: if we were unfair or stingy, it would be a very short-sighted strategy.
That aside, having another party getting advance knowledge about the bugs is risky: it just gives bad actors a juicy target to infiltrate to get a steady supply of 0-days.
That aside, having another party getting advance knowledge about the bugs is risky: it just gives bad actors a juicy target to infiltrate to get a steady supply of 0-days.