Reported a API data exposure for 300K+ customers/orders & received $2.77 worth of "rewards" points.

I recently stumbled upon a concerning security issue and promptly reported it to the company responsible. The issue involved an API data exposure that exposed sensitive customer information, including names, addresses, and order history. To my surprise, I was only rewarded with $2.77 worth of "rewards" points.

What's even more concerning is that the same data was accessible on their website without directly accessing the API endpoint. Simply by logging out of my account and navigating to the order history …

addresses api customer customers cybersecurity data data exposure exposed exposure history information issue names order points responsible rewards security sensitive surprise the company