[mtberatwork]

That's a bit of a straw man. Bug bounty payout isn't any indication that one company is better at security than another. Also, any one of those companies could be sitting on some obscure bug that is currently unknown to anyone in the company until it tragically makes itself known.

[minhajuddin]

Look at Tarsnap's bug bounty: http://www.tarsnap.com/bounty-winners.html . This guy has given out more than a thousand dollars and this is (as far as I know) a one man shop. How big is cloudflare? How secure should it be given that it asks for customers' private SSL keys? I would say they should have the biggest bounty program.

This leads to one of the two conclusions: 1) They are too cocky to think that they may have security problems (which is a big problem) 2) They know they may have security problems but don't care enough (which is a bigger issue).

There is no way you can cut this to make them look good.

[mtberatwork]

I'm not making any argument for or against CF. I'm saying that equating the size of a bounty program to the perceived level of dedication to security or code quality of a company is a straw man argument.

[fictioncircle]

If you offer less than $50 for something someone else in the market (albeit for a likely unethical purpose) is willing to pay $10k for, what do you expect people to do?

It isn't a strawman to state economic incentives matter. Or do you genuinely believe people everyone experienced in security will take the $50 because of "ethics"?