[minhajuddin]

Look at Tarsnap's bug bounty: http://www.tarsnap.com/bounty-winners.html . This guy has given out more than a thousand dollars and this is (as far as I know) a one man shop. How big is cloudflare? How secure should it be given that it asks for customers' private SSL keys? I would say they should have the biggest bounty program.

This leads to one of the two conclusions: 1) They are too cocky to think that they may have security problems (which is a big problem) 2) They know they may have security problems but don't care enough (which is a bigger issue).

There is no way you can cut this to make them look good.

[mtberatwork]

I'm not making any argument for or against CF. I'm saying that equating the size of a bounty program to the perceived level of dedication to security or code quality of a company is a straw man argument.

[fictioncircle]

If you offer less than $50 for something someone else in the market (albeit for a likely unethical purpose) is willing to pay $10k for, what do you expect people to do?

It isn't a strawman to state economic incentives matter. Or do you genuinely believe people everyone experienced in security will take the $50 because of "ethics"?