The security team determines when to offer a bounty as well as how much to reward. To attract the best hackers, and keep them incentivized, we recommend always rewarding for unique reports you resolve that are within the scope of your guidelines. A good way to think about bounties is as a tool you can wield to incentivize hackers to work on your program, and even to focus on particular areas by altering the relative reward for different vulnerability types. In some cases, paying for a significant found vulnerability that is out of scope is also a good practice. However, you should not feel obligated to reward for every incoming report; only provide a bounty for useful, valid reports, and never feel the need to reward more for the same report. Just be sure to always communicate your reasoning clearly and firmly to researchers who spend time trying to help make you more secure. Keep your communications professional, as if they were public.