A bug bounty might be viewed as a 24/7 pentest conducted by everyone in the world willing to work for the bounty price.

While you're waiting a few days for steve to get back from vacation and approve the PO for a pentesting contract, everyone else in the world is already pentesting your systems anyways.

Doesn't look like Verizon has bug bounties, so I guess we're lucky that the person who found this one was willing to work for free.