Will they? The NDA makes it so if they don't, we'd never know. Bug bounty programs suck but they're better than the alternative, but even running one openly, there's always convention about whether the bugs being submitted are real or not, with a lot of low quality reports that the submitter thinks are gold. That happens out in the open. Now add an NDA into the mix. Sam's reputation doesn't even have to enter into the equation for it to be a bad deal.