I say we, intentionally not naming the company, because 1) doing so tends to turn off people's brains and they default assume everything $company does is the correct way, but if I say something stupid I'd rather someone tell me, instead of assume someone at $company must know or couldn't possibly know. 2) I say we, because I'm speaking for myself, (and maybe a tiny bit) for my 2 friends still running the BB program at what possibly should describe as my former company, but then I've always exclusively been speaking for me, not about them...

So I'm still not gonna name them, it wouldn't be hard to figure out who they were, with a likely-trivial amount of effort if feel the need to know... but if you'd rather, I'd encourage you to imagine I work at the worst company you can name or imagine, so you can use that to discard anything I've said. Because I'd rather be judged on my argument, not who hired me that one time.

Even if the company doesn't have a big bounty publishing exploit code without warning them is unethical. Moreover, a lot of these projects are FOSS without a company which could pay bug bounties.