@gsuberland@soatok@phryk I engaged with FreePBX's security process and was quite impressed, though I didn't ask for a bounty. I was just happy they fixed it. I was marginally less happy when I found out my name and email was on a CVE and I was getting emails from skiddies trying to buy zero-days. (I ignored them, obviously)
The only scheme I engaged with - well, ended like my reply. It was a Twitter bug. It finally got fixed when a mutual passed it along to a friend who worked there.