> I think having a bug bounty program is actually a lot better than the vast majority of sites / vendors that don't even have a whitehat [aka responsible] disclosure program, let alone a bug bounty program. It's worth noting that this is just the base bounty - I've seen us pay out a lot more for good discoveries. $500 is also the base that Google and Mozilla offer for their programs (http://googleonlinesecurity.blogspot.com/2010/11/rewarding-w..., http://www.mozilla.org/security/bug-bounty.html). What would be a good price, do you think? I'm not hooked in enough to know what black market prices are like for bugs like this.
> I think having a bug bounty program is actually a lot better than the vast majority of sites / vendors that don't even have a whitehat [aka responsible] disclosure program, let alone a bug bounty program. It's worth noting that this is just the base bounty - I've seen us pay out a lot more for good discoveries. $500 is also the base that Google and Mozilla offer for their programs (http://googleonlinesecurity.blogspot.com/2010/11/rewarding-w..., http://www.mozilla.org/security/bug-bounty.html). What would be a good price, do you think? I'm not hooked in enough to know what black market prices are like for bugs like this.