The correct response to a reported vulnerability by a security researcher is to acknowledge receipt of the report. This leads to establishing a communication channel with the researcher which is a best practice in responsible disclosure programs. It also ensures the researcher that the report has been received and will be looked into, potentially preventing them from publicly disclosing the vulnerability before it's remediated. It's important not to ignore the report, as that can lead to the researcher becoming frustrated and possibly deciding to disclose the vulnerability to the public, which could put the company at risk. Publicly thanking the researcher before verifying the report might give the issue more limelight than necessary, potentially even before understanding the full implications. Offering a reward immediately may not be the best step if the organization does not have a bounty program in place or the claim has not yet been verified.