[amirmc]

We're aware that bounties can't demonstrate security (mentioned early on in the post). However, putting such items out there and inviting review helps to stress-test the stack.

Right now, unikernels aren't in major production use, so there's little to gain by holding on to an exploit (one would assume).

[daeken]

> there's little to gain by holding on to an exploit

Correct, but there's also very little to gain by developing it in the first place. Right now, the pinata's value is approximately $2500, or less than two straightforward XSS bugs on Google properties, which are waaaay easier to find. There's just not anywhere near the motivation required to get (mostly well-paid) security people on this. It's interesting, but that's about it.

[amirmc]

Yup, I totally agree with your points. However, I also feel there's some 'fun' factor here too -- and we hoped to appeal to it. By having the entire code base available, it also reduces the need for reverse engineering that other programs might require.

We didn't really expect the money to be the main motivator. Just a hook to draw attention.