> Their response was better than 98% of other companies when it comes to reporting vulnerabilities. Very welcoming and most of all they showed interest and addressed the issues

This was the opposite of a professional response:

* Official communication coming from a Gmail. (Is this even an employee or some random contractor?)

* Asked no clarifying questions

* Gave no timelines for expected fixes, no expectations on when the next communication should be

* No discussion about process to disclose the issues publicly

* Mixing unrelated business discussions within a security discussion. While not an outright offer of a bribe, ANY adjacent comments about creating a business relationship like a sponsorship is wildly inappropriate in this context.

These folks are total clown shoes on the security side, and the efficacy of their "fix", and then their lack of communication, further proves that.