That’s a whole lot of “we” to not mention which company you’re at that supposedly plays well with security researchers/has a proper bug bounty.

Even if the company doesn't have a big bounty publishing exploit code without warning them is unethical. Moreover, a lot of these projects are FOSS without a company which could pay bug bounties.