[cge]

Cryptocurrency bug bounty programs perhaps have an advantage in that the risks of classes of bugs are often concrete, financially quantifiable, immediate, and catastrophic. A bad RCE in a mainstream OS could do untold damage to users, reputational damage to the company, and so on, but even if severe, those risks have to be estimated. But in this case, for example, it seems like the $2m bounty was for a bug that, if exploited, would have made $1b in market cap disappear. I expect it's just much simpler to convince a skeptic businessperson when the risks are so clear.

[consumer451]

That's a very solid point, as sad as it is.

I suppose the argument for OS makers to raise their rates might be that they are paying 10x below market rates, and the rates were set by the actual freaking market that exists.

If I was a congressional aide, I would definitely write something up about this when my boss was going to drag a Microsoft exec across the coals in public. I would imagine that billions in gov contracts are at risk for MS right now due to lax security. A $2M bug bounty could have prevented that.