Not just a bounty, but a repeating and increasing bounty: 3 months after the vulnerability is reported if the vendor hasn’t notified users about it or 6 months if they have, the vulnerability is valid for being reported again and the bounty is multiplied by 5. The vendor may avoid liability for the bounty if the vulnerable software is released under a license which would allow the person reporting the vulnerability or any other party who knows of it to fix it and release a version of the software without the vulnerability (whether they actually do so is irrelevant).
