[arice]

Great questions. We'll line up a more analytical post on the topic as I don't know all the answers here, and we all should. In the interim, here's a few rough from memory answers:

> Thats an average of $357/vuln

The 14,000 includes resolved bugs where no reward was offered (Bounties are optional with ~40% of programs not offering any. i.e., "responsible disclosure", a drop in replacement for security@company.com). If you reduce the set to reports where a reward was offered, the average is closer to $750.

> What % of the $5MM or the 14K did the top hacker or group take home?

The top earner last year took $280k.

> How long is the tail of zero $$ per hacker in the community of the 2K?

This is a diverse group. Several hundred are active "hackers" driven financially. The rest are developers, hobbyist, technical consumers, who just happened to get curious about something in particular or even stumbled across a security problem in passing (this is far more common than you'd reasonably expect).