Can anyone rationalize this decision? Sure technically this is outside the stated scope however the severity of this vulnerability is immediately obvious, which should trigger some alarm bells that the scope needs to be reconsidered.

If they lose just one customer over this they're losing more than the minimum $500 bounty. They also signal to the world that they care more about some scope document than actually improving security, discouraging future hackers from engaging with their program.

This would be a high severity vulnerability so even paying out $500 for a low severity would be a bit of a disgrace.

What's the business case for screwing someone out of a bounty on a technicality?