Then why not offer them a good (not great) nondisclosure deal?

"Discreetly let us know, at the earliest sign of vulnerability, sign a contract with NDA, and we'll investigate, fix, and compensate you promptly. We'll also publicly acknowledge, in vague terms, for your career development, that you successfully discovered a vulnerability that has been addressed. (But if you intrude beyond the boundaries we've clearly specified, then we don't have a business relationship, and we have appropriate government offices on speed-dial.)"

That's if the company wants NDA. I'm not saying that's how it should be done; just suggesting what seems like a more vendor relationship, business transaction way of being alerted to their own security mess-ups, if that's what they want.

That doesn’t make any sense though. The only reason they could want that is if they were never going to be held account for exposing the financial details of millions of people.

Ooh, wait.

I hope researchers will find ways to publish their findings in other discrete ways then, so that the company behaving like a dick will get hit by black hat people. Would serve them right.