[sliverstorm]

Of course they cannot compete on a dollars-for-dollars basis, but people will often accept less return (or pay more) to stay on the up-and-up.

If a criminal would pay you $10 for your exploit, and I would pay you $9 to disclose it- many people would opt to disclose.

[pflats]

Furthermore, I imagine it could attract researchers' priority and attention to your product over a competitor who offers a lesser/no bounty.

[kalleboo]

And what if instead of $10 and $9, it's $75,000 and $1,000? And you live in an Eastern European country, where the former will feed your family for years.

[sliverstorm]

Then the ratio of people who would disclose, changes. I'm not saying the bounties prevent everyone from selling to criminals.

[evan_]

Do we have the numbers on what percentage of disclosed bugs are from Eastern Europe/"poor" countries? My guess is that gray-hat researchers take into consideration their likelihood of being caught when considering the bounty.

It would be interesting to know the percentage of people from less-developed countries who choose to claim bounties rather than exploit the bug vs. that of people in more-developed countries. I think you would probably find that fewer bug bounties are claimed by researchers in countries with less computer crime enforcement. I think you would also find that raising the payout for bug bounties would affect that likelihood.

Great thesis project for someone to work on.