I don't get why disclosing is considered acceptable, it seems like racketeering to me, "pay up or else I'll make this hypothetical issue an actual issue for you"

When I reported an issue and gotten no response, I sat on it for 6 years, reported it again and they took the whole site down without reaching out to me, never quite got it, but if people are doing this, it makes sense not to acknowledge any report and just play deaf.

What’s hypothetical? All this is and has been publicly accessible.

Have bad actors already found it? Who knows?

So if Fiverr isn’t going to fix it then the next best thing is to warn people.

Huh? I didn't ask for any money here or in the original email. (not that I couldn't use some, as I only have $1000 and four heavy suitcases right now, but anyway...)

I did include "bug bounty" in the email subject since they claimed to have a private program. Other than that, no mention of any kind of compensation. It probably doesn't even have any kind of resume value since it's not an actual code flaw/CVE, just an "unlocked door."