Is it though? Is anywhere else really any better? Won't CloudFlare be reviewing everything now? Will they be more secure after this and more trustworthy? I'm asking myself these questions now.
Really, I don't know the answers, but I'm not leaving because this seems like something that could happen anywhere at anytime. I honestly don't know though.
Poor judgement in leadership is reason enough for me. Will they be reviewing everything? Perhaps. The person overseeing that review may not be erring on the side of caution though. Concerns me. Draw your own conclusion I guess.
That's a bit of a straw man. Bug bounty payout isn't any indication that one company is better at security than another. Also, any one of those companies could be sitting on some obscure bug that is currently unknown to anyone in the company until it tragically makes itself known.
Look at Tarsnap's bug bounty: http://www.tarsnap.com/bounty-winners.html . This guy has given out more than a thousand dollars and this is (as far as I know) a one man shop. How big is cloudflare? How secure should it be given that it asks for customers' private SSL keys? I would say they should have the biggest bounty program.
This leads to one of the two conclusions: 1) They are too cocky to think that they may have security problems (which is a big problem) 2) They know they may have security problems but don't care enough (which is a bigger issue).
There is no way you can cut this to make them look good.
I'm not making any argument for or against CF. I'm saying that equating the size of a bounty program to the perceived level of dedication to security or code quality of a company is a straw man argument.
If you offer less than $50 for something someone else in the market (albeit for a likely unethical purpose) is willing to pay $10k for, what do you expect people to do?
It isn't a strawman to state economic incentives matter. Or do you genuinely believe people everyone experienced in security will take the $50 because of "ethics"?
Really, I don't know the answers, but I'm not leaving because this seems like something that could happen anywhere at anytime. I honestly don't know though.