They should really turn damage control on, pay up the bounty and if they are 100% sure about the whole root/access to funds stuff only then they should issue a second challenge based exactly on this.
They won't pay. As with most things associated with the serial scammer McAfee, it was all show and no substance. The bounty was a marketing ploy only - they had no intention of ever paying.
the hardware wallets are the best.
Some hardware wallets (like Ledger or Trezor) are the best. Definitely not this Bitfi scam.