[maze-le]

Yes, my thoughts exactly. He could had made 100x that money on the black market, so no wonder we still have problems with 0days traded there.

How long would you work for $1,000? Some days, a week, two? If you spend more than a week on this problem it seems not worth to report it... On the other hand, if you set the incentive for bug bounty too high I imagine all sorts of cranks pop up, that want to show off bugs that are not there, and resources will be bound to this task -- they have to be verified, and analyzed even if its a bogus report (and in the worst case it will not accomplish anything).

Where is the middle ground?

[RangerScience]

"You agree not to disclose the full amount awarded you as part of this bug bounty award contract."

[estefan]

If the full amount is <=1000 it's irrelevant what you're actually awarded for a bug as serious as this.

[RangerScience]

Oh, no - I mean, if you want to reward people fairly, but not get a stampede to your door, tell them to report a smaller bounty than was received. They can spread private word to their network (presumably, other people who are going to actually be correct) but still provide hooks to the public.

Probably doesn't work out, but it's what came to mind as a way to deal with the balancing act.

[bluedino]

> How long would you work for $1,000? Some days, a week, two?

You might not work for long on a $1,000 problem, but other people sure will. College or high school students, people in a country with low salaries such as Ukraine...