Re: I fixed $100 mil Amazon bug and all I got was this t-shirt.
Yeah, this scheme is really pathetic.
Many organizations don't pay bounties. I understand that. But if you have the resources of Amazon and you're going to make a big public announcement...
When we first got our PSIRT into shape and began dealing with outside researchers in a consistent manner, we (the PSIRT members) asked for budget for a modest bounty program, and were turned down. Oh, well, I understand that; it's an unknown exposure, and legally complicated, and there are other issues (as Moussouris has discussed at length).
But we always gave credit, in the form requested by the submitter, in the public fix announcement. And we were able to wrangle a little money for a t-shirt program. The t-shirts were personalized – they had the company logo and something about security on the front, and the CVE(s) for the bug(s) submitted by the recipient on the back. So at least the researchers had public acknowledgement.