"We would like to say thank you to @ShenNoether for finding the flaw, and the bounty will be paid in SDC at the SDC price before the flaw was revealed to the public. This is the reason we set up the bounty program in the first place, to improve shadow's privacy, usability, etc."

So if the price was 0.00025 and is now 0.00014, then he gets paid like 20.000 SDC @ 0.00025 = 5 BTC which if dumped now, cost 20k SDC x 0.00014 (which it might go down to 0.00010 due to the dumping) = 2.8 to 2 BTC actual reward.

Thats minus -2.2 to -3 BTC for the reward.

Now, I understand that some level of responsibility must be demonstrated in these things, but on the other hand if such information is first received by a core team which may also be SDC holders then this could result in SDC dumps by the core-team holders first to preempt the public investor dumping. In a sense the bounty, in that case, is the cost of an inside info on when to dump.

Plus if a bug finder has to lose money if he reports a bug, then that's a disincentive to report it and more incentive to sell it in a black market... "hey, SDC deanonymization key only 10 BTC for the whole chain". That should not be the first option of a bug finder.