[ajross]

I understand the point you're making about incentives, but the phrasing is poor. The reason people shouldn't sell exploits to the highest bidder isn't because the vulnerable software author refuses to pay a bounty.

People shouldn't sell exploits because it's a crime that hurts people.

[behringer]

In the movie Independence Day the aliens computer systems were hacked with a few hours worth of work. Why were they hacked and destroyed? Because nobody reported and worked on security incidents of course. Why would anyone need to in a militaristic society?

My story is silly, of course, but the point is real. If you don't attack and then fix systems, a lot of people will get hurt.

[ajross]

That's better phrased, indeed. The problem with your earlier statement is that the incentives are not for the people you are talking about.

You don't offer rewards to prevent criminals from selling exploits. Criminals are going to sell exploits anyway. Bug bounties have nothing to do with criminal behavior.

Bounties are there to incentivize the honest people to do security work. And the response of an honest person being denied a bounty IS ABSOLUTELY NOT to turn around and sell it.