chess.com bug bounty program is a scam

Today i found a firebase api key on chessdotcom which basically allowed me to create short links using it's subdomains this could obviously poses an attack vector to reflected xss and other client side attacks as we could create less dubious url which would redirect to the injection path and send it to victim though the company said it does not have any impact but the funny part is they removed the javascript where the key was leaked   . I mean why fix it if it doesn't had any impact. Wasn't expecting such cheap behaviour from top chess platform right now