The reporter found that a logged on customers real name (but no further personal information) could leak to a 3rd party site in certain transaction processes.
The issue was investigated and found to be valid.
The reported case was valid and although not a vulnerability as such, it was not intended behavior. The scope of the issue was quite limited. The application has been updated. The bounty decision was made partially based on the potential consequences for a more serious customer information leak.