[rdl]

I think the Hall of Fame is worth more than the $20.

This is one of those cases where the $20 is probably worse than $0, though (even though it's non-cash). It's like "hey, friend, will you (help me move|have sex with me|etc)"; more likely to do it as a favor than when $20 is offered. Probably even more likely to do it for $1k than as a favor. $1000>0>$20.

[michaelbuckbee]

I remember on one of the early StackOverflow podcasts that Joel very specifically wanted to stay away from any kind of monetary compensation for answering questions because as soon as somebody tries to do a $/time equivalency in their head the whole thing looks like a rip-off.

Much better to frame things as a way to show off to peers, help the community, etc.

[sillysaurus3]

When it comes to security vulnerabilities, hackers usually sell them to the highest bidder, which is why it's good for the highest bidder to be the bug bounty program. Recognition is nice, but money fixes problems.

[icegreentea]

I honestly don't think there are many situations where the highest bidder for a bug will be a bug bounty problem. Consider from a couple year's back when Vupen won Pwn2Own against Chrome, and Vupen refused to disclose, based on the commercial value of the exploits. The key quote (and I don't think he's exaggerating) is: “We wouldn’t share this with Google for even $1 million,” says Bekrar. “We don’t want to give them any knowledge that can help them in fixing this exploit or other similar exploits. We want to keep this for our customers.”

http://www.forbes.com/sites/andygreenberg/2012/03/21/meet-th...

[sillysaurus3]

Thank you for the wonderful article! If anything, this is more evidence that money is more important than recognition, so bug bounty programs had better be lucrative.

It seems like if Google were to offer a $1M bug bounty tier, it'd be much more likely that Vupen's exploits would be discovered by someone else.

[eli]

That's an extreme example. Most bugs are very likely worth more the the company than anyone else. How much could you honestly see a bug in 4chan for?

[koralatov]

The Hall of Fame is the really worthwhile part, and has more value to most users than a small amount of cash. Perhaps something like Donald Knuth's reward cheques[1] for TeX bugs would be a better option?

[1]: http://en.wikipedia.org/wiki/Knuth_reward_check

[Grue3]

The whole point of 4chan is anonymity, so being in the Hall of Fame is completely useless. In fact, your typical 4channer would probably prefer sheer lulz resulting from hacking 4chan to any monetary reward.