If they want to keep the company they should pay the 250k prize. Claiming the wallet is unhackable is fine, it's still in the early stage, but not paying the bounty will bury them.
They should really turn damage control on, pay up the bounty and if they are 100% sure about the whole root/access to funds stuff only then they should issue a second challenge based exactly on this.
Suddenly dropping the bounty from 250 000 to 10 000 smells fishy to me, it looks to me like they want to avoid larger groups with more resources that would be tempted by a 1/4 million prize.
Anyhow...
https://www.csoonline.com/article/3294619/security/bounty-for-hacking-the-unhackable-bitfi-wallet-jumps-from-100k-to-250k.html The researchers did find some troubling apps on the device, including the Chinese app Baidu and Adups malware which seem to be calling home.
They are probably done for.