Element currently piggybacks on the Matrix.org Foundation bug bounty programmes (which are the relevant ones here anyway, given matrix-appservice-irc is a Matrix.org project - i.e. owned by and managed by the Foundation, albeit with lots of contributions from Element employees)
Right now the Matrix.org Foundation is between bug bounties - we ran an EU funded one via Intigriti last year (https://portswigger.net/daily-swig/intigriti-launches-eu-bac...) until the funding was consumed, and I'm literally about to sign the contract on a new permanent one for the Matrix Foundation funded by Element run by YesWeHack.
I don't see a reference to this issue on their bug bounty page (https://app.intigriti.com/programs/matrix/matrix/detail) but it's possible that the researcher came to them directly or didn't want a reward. You'll have to ask the person who demonstrated the vulnerability.
According to their responsible disclosure page (https://matrix.org/security-disclosure-policy/) they don't generally do bug bounties. I'm not sure what their intigrity page is all about, perhaps they did in the past?
In the infosec community, "researcher" is the noun of choice to describe anyone who has discovered a security vulnerability, no matter their motivation or experience.
Is there a decent overview of commercial adoption of Matrix? i.e. what are the top 10 biggest companies using Matrix, and is there a vehicle by which they could pay for some security audits and bug bounties above and beyond the Matrix foundation?
Every (active) Matrix user in a bridged room (or portal) has a corresponsing user/connection on IRC. That is, if you join a bridged Matrix room as @charcircuit:example.com, the appservice responsible for bridging said room to IRC will open a connection with NICK/USER charcircuit to IRC (if not open already).
Effectively, appservice-irc is a multi tenant IRC client.
