The Bugcrowd portion of this story is not something I expected to see. The screenshot of the mail is apparently sent from the "Platform Behavior Standards Team," which means that either Bugcrowd are taking a rather expansive view of their platform standards [1] by attempting to police behaviour outside the platform, or Mastercard are impersonating official Bugcrowd staff.
Someone else here, although I don't remember who, regularly argues that Bug Bounty platforms exist to capture and prevent responsible disclosure, not encourage it.
If they're regular enough to see your comment, they may be able to expand the idea and explain it better.
> exist to capture and prevent responsible disclosure, not encourage it.
I will say that Google's VRP is the exception. They have top notch people who answer the initial report, will keep you in the loop (usually) and will consider impact if you'd gone further. BC or H1 are hit or miss, and more often miss.
I can see why; if it's software that isn't easily or frequently patched or it takes a long time to update everyone and roll out the update, AND the exploit isn't known elsewhere yet / actively abused, keeping the report under wraps to try and protect the unpatched installations for as long as possible makes sense. Yes it's security by obscurity, but if you're the first to find it then the obscurity was effective.
I don't think I make this argument regularly and I wouldn't absolutely say that's the goal of the platforms themselves, but it's an effective outcome - in most cases participating in the program means accepting terms that say you won't disclose without permission, and if the vendor never grants permission you have the choice of disclosing (and potentially being kicked off the platform and also losing any safe harbor protections you had) or just saying nothing.
I am not a security person, and when I tried to report an vulnerability in the authentication signing in the QuickBooks Ruby gem, the process caused me to end up just saying nothing. Intuit pushed me to H1, and I did not feel comfortable with the H1 process, or that I had an advocate for a legal process that I was unfamiliar with.
The wording is also downright terrible. It's phrased as if you've been judged to have done wrongdoing, and your options are to either comply or ask for further clarification why you're in the wrong. No chance given to explain how you're not the one at fault.
From my experience BugCrowd attempts everything to tarpit and delay reports from reaching the actual company. From company perspective this reduces cost (less bounties paid out and less reports to screen by their own staff) while at the same time having plausible deniability for legal reasons.
Neither option is particularly palatable.
[1] https://www.bugcrowd.com/resources/hacker-resources/platform...