if they don't think it's OK, then they should have a bug bounty program.

why are companies so entitled to get free security research/audits?