[SwellJoe]

This is somewhat unrelated, but maybe folks here have some experience with disclosure programs like HackerOne, which is something that I don't have much familiarity with.

We'd love to have a way to encourage security researchers to focus on our software and give us reports, but we're Open Source and our budget is miniscule. What is considered "insulting" as a minimum reward? What will actually get professional people looking at it with a critical eye? Is its popularity (~1 million users and a pretty well known Open Source project) enough to compensate for not paying very well for disclosures?

[lawnchair_larry]

You generally wont get professionals unless they're feeling charitable. They're busy with paid work and don't need credit. You also won't insult anybody if you're a non-profit. It's for-profit companies who offer t-shirts that get criticism.