Finding and disclosing vulnerabilities predates bug bounties by a long stretch. Bug bounties are simply an incentive for people to follow a scope and disclosure policy through a legal safe harbor and small financial incentive, but they aren't always effective at that. Folks that operate outside of the bounty program don't have that safe harbor and are likely exposed to the full force of whatever domestic 'hacking' laws exist on the books. In the US this has resulted in jail time and fines.

If someone doesn't like the terms of a particular bug bounty program, I would ask why they are doing research against that company to begin with. That's like someone really wanting kids dating a person that doesn't want kids and hoping they will change their mind after they see how awesome it will be. Almost without exception, if you read the comments from the individuals reporting the bugs, they will actually defend the status quo (as is the case here if you dig around). It's mostly just loud people in the vicinity of this trying to drive up the market.

Of course in my example I could try to incentivize said partner to have children by all sorts of unethical means, and there are certainly ways for researchers to try to incentivize corporations to increase bounty scope or payout by unethical means. This is generally considered 'extortion'.

Lastly I think it's also important to point out that legality has nothing to do with ethics, and I certainly believe there are cases where disclosure is warranted outside of any established paradigm of 'responsible disclosure' or bounty program.

A friend of mine swears that you can be sued for 'business damages' over improper disclosure. Sadly, the US is a non-permissive environment so I tend to believe it.