[behringer]

In the movie Independence Day the aliens computer systems were hacked with a few hours worth of work. Why were they hacked and destroyed? Because nobody reported and worked on security incidents of course. Why would anyone need to in a militaristic society?

My story is silly, of course, but the point is real. If you don't attack and then fix systems, a lot of people will get hurt.

[ajross]

That's better phrased, indeed. The problem with your earlier statement is that the incentives are not for the people you are talking about.

You don't offer rewards to prevent criminals from selling exploits. Criminals are going to sell exploits anyway. Bug bounties have nothing to do with criminal behavior.

Bounties are there to incentivize the honest people to do security work. And the response of an honest person being denied a bounty IS ABSOLUTELY NOT to turn around and sell it.