Your leaning feels correct, and more if the listed company deals with health or financial data where personal data and privacy is of utmost importance.

User-impersonation, and unauthorized access would probably leave them open to potential lawa suits and loss of credibility, hence the NDA or more like a gag order.

Non-disclosure even after patch is surely a big red flag.

In the interest of the users and public accountability, it is suggested to publish an incident report, only after notifying the company of sufficient time to patch the vulnerability.

> and doing a public write-up once the issue is fixed

I'd also check with UK laws, as even that might be close to gray-ish territory if they're willing to go after you. Litigious companies are a pain to work with. Especially if they seem to be looking for no bad PR. Worth a few hours of research, maybe reach out to a non-profit and see if they can help?

1k sounds like a discretionary amount that would quite neatly fit within a manager's budget for external consultants and so on, which is probably what they'll say you are when accounting for it. They're trying to fly under the radar, and have likely kept this knowledge to only a few people.

The organisation will never change their ways unless they get bad publicity or have to spend so much money that their c-suite gets involved.

I would be wary of trying to negotiate the payment upwards in case you are accused of extortion; just explain you'll disclose publicly in 30 days, which is more than enough time to fix what I assume is a web app backend bug. You don't want them dealing with this kind of issue as a feature to be implemented when there's space in one of the future sprints.

They may try at this point to negotiate the payment upwards, which is a matter for you and your conscience, but I would say that if you don't get something close to 100k, it's likely to be swept under the rug internally and they'll never learn from their mistakes.