Being the one who decides to pay or not pay bounties in our bug bounty program: trust me when I say that the internal discussion, fact finding, classification, quality control, release planning & the rest exceeds your bounty by a factor 10.

Same goes for the dialogs with unhappy hunters who like 'proof' for the arguments that a bug / vulnerability is not there.

There is literally no financial incentive for me at all to not reward, au contraire actually.