Last year we reported a vulnerability where a default option in Salesforce orgs allows browser session hijacking. They came back telling us that it wasn't a bug, but working as intended, and that bugs like that aren't part of their bug bounty program anyway. Then when we found a public salesforce forum post from eons ago where a salesforce employee confirmed this bug/feature and tweeted it to our clients, they kicked us out of the bug bounty program for disclosing vulnerabilities.

>I expect that lots new Salesforce vulnerabilities will be discovered and disclosed.

Oh even worse no new vulnerability discovery and disclosure which in turn decreases the security of Saleforce products.

Oh, they will be discovered and disclosed, just not to Salesforce or the public but to "interested third parties".