> In the end it all works out and they get paid out/credited for the original+follow on bug.
I've worked on the company end of bug bounties too, and it does happen that a report just falls through the cracks. Seemingly-inactive reports do need a certain amount of maintenance; you don't want to just trust that everything will work out in the end. (That said, as long as you get responses when you ping the company, things are working in the background.)
(edit to followup: in about 18 months of this, I encountered one report that had fallen through the cracks. Obviously, there might have been others that never came to my attention at all, but the companies are tracking things much more carefully than researchers often assume.)
I've worked on the company end of bug bounties too, and it does happen that a report just falls through the cracks. Seemingly-inactive reports do need a certain amount of maintenance; you don't want to just trust that everything will work out in the end. (That said, as long as you get responses when you ping the company, things are working in the background.)
(edit to followup: in about 18 months of this, I encountered one report that had fallen through the cracks. Obviously, there might have been others that never came to my attention at all, but the companies are tracking things much more carefully than researchers often assume.)