[michaelbuckbee]

I remember on one of the early StackOverflow podcasts that Joel very specifically wanted to stay away from any kind of monetary compensation for answering questions because as soon as somebody tries to do a $/time equivalency in their head the whole thing looks like a rip-off.

Much better to frame things as a way to show off to peers, help the community, etc.

[sillysaurus3]

When it comes to security vulnerabilities, hackers usually sell them to the highest bidder, which is why it's good for the highest bidder to be the bug bounty program. Recognition is nice, but money fixes problems.

[icegreentea]

I honestly don't think there are many situations where the highest bidder for a bug will be a bug bounty problem. Consider from a couple year's back when Vupen won Pwn2Own against Chrome, and Vupen refused to disclose, based on the commercial value of the exploits. The key quote (and I don't think he's exaggerating) is: “We wouldn’t share this with Google for even $1 million,” says Bekrar. “We don’t want to give them any knowledge that can help them in fixing this exploit or other similar exploits. We want to keep this for our customers.”

http://www.forbes.com/sites/andygreenberg/2012/03/21/meet-th...

[sillysaurus3]

Thank you for the wonderful article! If anything, this is more evidence that money is more important than recognition, so bug bounty programs had better be lucrative.

It seems like if Google were to offer a $1M bug bounty tier, it'd be much more likely that Vupen's exploits would be discovered by someone else.

[eli]

That's an extreme example. Most bugs are very likely worth more the the company than anyone else. How much could you honestly see a bug in 4chan for?