|
|
|
|
|
|
by baq
301 days ago
|
|
|
I'm just saying they've got a bug bounty program but not a bug prevention bounty program, or even a fix a known bug bounty program. The security team has a budget for the realized risks but predictably not for managing unrealized risk in the open source community which they depend on. |
|
|
Particularly for a dep they've chosen to ship in their browser.