[_vvhw]

I've definitely been there! Finding P1s for full read/write access and then seeing the report downgraded to a P3, and having to have the platform arbitrate and bump it back to P1.

However, it was this experience of mine as a part-time security researcher that actually led to us creating the bug bounty program for TigerBeetle's consensus.

For example, if you're looking at another database and find a correctness bug, there might not be a bounty program at all. Whereas with TigerBeetle, there hasn't been a single valid report that we haven't awarded, at least so far.

It's also why we were careful to rather be upfront and explicit about scope, than disappoint anyone after the fact.

And we recognize that consensus is hard and takes time to learn, hence the $8192 award for correctness finds.

That said, I hope you can see from the leaderboard that we've been generous. For example, Alex Miller found a bug in Apple's O_DSYNC and we nevertheless awarded $1024 because it was such a great find (Apple thought so too!).

[BiteCode_dev]

$1024 is half my daily rate. I doubt someone find "a great find" in 4 hours. And not even time that is guaranteed to be paid.

[true_religion]

I think they are pretty open about what they can afford to pay. If you have self selected to be worth $2000 a day due to expertise or necessity, then you know that you're not a good fit for them.

However many people are willing to put in the work, so why are you so critical of their program.

Do you think they are taking advantage of people who should charge more? Or do you think they will not get anyone good for such a low rate, and thus fool themselves into thinking they are secure?

[_vvhw]

To be clear, this was out of scope of the bounty, it was a bug in Apple, that TB awarded anyway.