I don't think Oracle has a policy of paying bug bounties, but they would have to talk to the Oracle security team about that. For reference, our policy on reporting security issues is here: https://www.oracle.com/corporate/security-practices/assurance/vulnerability/reporting.html. NetSuite customers can report them through standard support channels if you find one yourself.