[tptacek]

That doesn't make sense, because bounty programs can't punish vulnerability researchers other than not awarding bounties, and whistleblower programs can punish whistleblowers. I got what that comment was trying to say, but, no.

[throwaway48476]

It becomes corporate politics when 'blame' is assigned to the team responsible for the bug.

[tptacek]

The preceding comment, I could follow. This one I cannot. But I think we're doing the same thing that's happening all over this thread, and trying to axiomatically derive how these programs work. I'm not doing that; I (like a lot of people) have direct knowledge of them. It's not much of a secret.

[klingoff]

Huh? Whistleblower programs exist to defend them and fail to combat the problem, one that directly punishes would be like a bounty program that actually crafts the legal threats to security researchers.

[Moru]

That is being done too. Teenagers showing vulnerabilities in school systems have been prosecuted in Sweden... Needless to say, they didn't get much help with looking for holes after that so who knows how many security holes they still have.