[laurencei]

I suppose the risk is people could 'game' the system.

Person A finds the issue, reports it.

Then Person A secretly tells Person B about it (with no apparent connection), and Person B reports the same issues a few weeks later, but with apparent different code/description to look ever so slightly different.

[Gasp0de]

Split the reward between everyone who reported it. It's even still kind of fair: The more people find it the easier it was to find.

[bornfreddy]

Of course, then when A and B independently find a bug, B can enlist C, D and E, thus taking 80% instead of 50% of the bounty.

No system is perfect.