Document your findings, and share them exclusively, in writing, with the client point of contact. They may not see the need to do anything until they incur some pain. Make sure you shield yourself with good documentation.
What if they ask how it makes sense you provide all info to Include video documentation and they can't reproduce and mark na
 
You should still document what you found & when (dates) in writing with screenshots.
Ideally, ALSO reproduce it and run some kind of screen share or recorder so they can see what happens in real-time.
Send them both exclusively.

You can't force them to pay you for a bug they can't reproduce. You need to be able to show them how it's affecting you or a client.

You can't force them to pay you a bug bounty, unfortunately, especially if they don't have an official bug bounty program.
Even if they do, you can't force them to pay you for a bug if they don't deem it relevant or worthwhile.

If they keep refusing to acknowledge your bugs stop testing this company's stuff and go find bugs on products known to pay bounties.
 
Last edited:
If you see a vulnerability only applies to consumer and server and company denied working or fixing what is a remedy to this
report it to an IT Magazine or Security News. They provide Confidentialty to you, and sometimes that helps to give the company a kick.
In the EU, that could be a violation of GDPR, and then Data Goverenance officers take over.