Not rewarding the people that can manage to find these exploits is insanely dumb, you just basically give green light to these people to make money from your exploits in a way where you as a company lose way more money and reputation.
HackerOne and PayPal are both to blame here. But yeah, moral of the story: Sell the exploits instead for a nice sum and let PayPal burn for it when someone will eventually have their money stolen, and thus needs to be reimbursed for it.
Remember! Reality's an illusion, the Universe is a Hologram, buy Gold!