What? It is to the person who discovers the vulnerability. That’s fairly normal for this kind of thing I think. How would giving it to someone else motivate the result they’re trying to get?