If there's a system breach, that's an unauthorized activity and it would be treated as malicious and illegitimate access as with any mal-intended attacker. We don't have bug bounty researchers perform attacks or breaches, and as part of the program policy, they're not allowed to access customer data nor to make any manipulation or changes of information. They're allowed to disclose vulnerabilities that are detected in the system and report those to us through the responsible disclosure program.
On May 29th, 2019. See this statement in context.