[evan_]

You're right. I shouldn't have said "more profitable"- obviously you're going to get more money immediately by exploiting a bug that gives you direct access to everyone's bank account. What I should have said was "more attractive".

If I have to choose between 5 year's wages with a 90% chance of going to jail for a very long time vs. a month's wages as a bounty and a 0% chance of going to jail, I'm going to pick the bounty every time. I think a lot of people would agree with me.

As discussed further down in this thread, raising the value of the payout or lowering the possibility of being caught makes the other side more attractive.

(of course, I would choose to disclose every time, because I'm just a good person.)

[singlow]

I don't think the bounty is all that significant in deterring any would-be exploiter. Instead, it incentivizes the honest person who enjoys the puzzle of finding the exploit but would never actually try to profit from it illegally. It might allow some of those "hobbyists" to justify a little more time at the task, or attract them to one project over another.

[octagonal]

When is the last time you heard of someone going to jail because of a zero day?

[tzakrajs]

Bad guys must not agree with your assessment of 90% chance of going to jail.

[mseebach]

The risk of getting caught isn't constant, it's highly dependant on the circumstances and the perpetrator.

Also, besides the crime itself, spending a large sum of ill gotten money without getting caught is a lot easier if you already move in an environment geared for that - few things you can do in a middle class lifestyle that won't arouse suspicion.

[fyrabanks]

I think that's what defines them "bad guys".