JPMorgan Chase is an international company with a massive portfolio of products so there are quite a lot regulators floating around. Even outside Chase Ultimate Rewards, I imagine someone, somewhere would be concerned with their vulnerability disclosure process/practices.