Having worked as IA in plenty of banks, I can only say "no good deed goes unpunished". My friendly suggestion is that when you involve cunts in the dialogue (regulators, legal depts, lawyers) you JUST started a fire and those assholes ONLY care to have a fall-guy. And the #1 is (you guessed it) You!!

You cannot expect an honest response from (ffs!) a bank! They are the most dishonest people on planet earth.

If there is a bounty, go through the hoops and do get paid. If not, then feel free to go for a lunch with someone-who-knows/trusts-someone and solve it in the d-l.. with all the plausible deniability you can get "I saw the photo of the guy/gal on LI and wanted to meet him/her for the sex.. I dunno what hacking-vuln you are talking about!"

You may think that the above is risky/dangerous/wrong; good! (https://www.youtube.com/watch?v=d-7o9xYp7eE)