That's missing a key point of the bounty system. Slack and its users are better off that this bug was 1: discovered and 2: responsibly reported. The bounty increases the number of eyes looking, but also incentivizes folks to look into weird crashes or fight through the drudgery of triaging odd behavior.

The bug value also shows how much Slack here values their security, and makes me wary of them if I was in the place to be a customer of theirs.