Might bug bounty programs be more effective, if disclosures are also automatically reported to a government agency, like the FCC, and the relevant company's email cc'd on that? They'd need to provide clear evidence that a report warrants dismissal, and if an exploit is proven to have some from such a report, or if they make any changes and the reproduction recorded in the report stops working, then they are obligated to pay up and/or face fines.