| > I don't think bug bounty is a substitute for certification. Neither does the EU: by extending the free software security audit programme (FOSSA)[...]. Meaning: there already is an audit, certification and audit being synonymous for this purpose. > making it short term This is a trial run, to be extended later: we are trialing the VLC application on a bug bounty program > with only one payout There will be as many payouts as security-relevant bugs are found: Rewards may range from $100 up to $3,000. > will only attract people with automated tools This is a private trial, where people with automated tools submitting low-impact bugs will presumably not be invited: We invite hackers and bounty hunters (aka researchers) based on a variety of factors - reputation, previous track record (high quality reports) > Then code will get "certified" and forgotten. This is VLC, one of the most-used open source programs. How will code merged into the product be forgotten? > It all seems wrong. Indeed... > Hopefully it is just bad wording on the official PR. I think the problem is more likely caused by a complete lack of reading skills. |