I think the key thing is that there's a wide range in the amount of effort someone will put into looking for bugs/exploits, guided by a number of factors, like how fun the bug is to work on, the monetary reward, and any prestige from being the one to find it.
If an obvious vuln appears, obviously report it. But, these reports require a lot of work. It'd also be perfectly ok if the researcher reported whatever obscure behaviour they found initially, and went to go look at other targets with better bounties, played with their dog, etc.
If an obvious vuln appears, obviously report it. But, these reports require a lot of work. It'd also be perfectly ok if the researcher reported whatever obscure behaviour they found initially, and went to go look at other targets with better bounties, played with their dog, etc.