If you want to understand the dynamics of what happened here, a very important detail is that the bounty hunter's report implicated DKIM and SPF, and no bug bounty program in the world takes DKIM reports seriously. DKIM is the archetypical beg bounty. You could find DKIM RCE and HackerOne would still round file your report.