Assuming a company thinks it's pretty secure, putting real money on the line (the same money you'd normally pay an expert to pentest your system) would get some more prolific minds involved.
- You only need one person to report it, and so if Nefarious Nigel has found it and is planning to use for profit, then Sweet Sarah find it and reports it then it worked. I imagine this is the case for the majority of bugs (but can't prove it).
- $5000 isn't in a different order of magnitude to Google's rewards, and they paid out several million dollars. This demonstrates that it does motivate people but also that adding a 0 on to that would likely have a far larger impact on revenue than Nefarious Nigel and his evil plans.
- I think a large number of smart people would (rightly) be scared about taking the black market route, but are motivated when they know their isn't a legal risk. Or put differently the risk to reward ratio ("pot odds") becomes worth it for this value for legal prize.
My guess is that the thinking goes something like this: White hats aren't going to hack us anyway, and will be fine with the tiny rewards we give them. So there's no reason to increase the rewards for them. Black hats probably aren't going to be dissuaded even by very high rewards, or perhaps even with high rewards they'd try to have their cake and eat it too, selling exploits first and then reporting them. Basically, they can't be trusted so trying to buy them off with a fair-market price isn't even worth it, so we may as well ignore them in our pricing strategy.
I don't know if that reasoning is correct, but I think approximates the thinking that leads to the status quo in this case.
I argue that bug bounties are a pressure release valve for people who know that there's a problem, but are unsure if they're at risk of getting lawyer'd or prosecute'd for disclosing vulns.
No private entity can compete with nation states for vulnerability rewards.
Has anyone written a "best practices" guide for designing a security page ?
That being said, in practice, I don't know that everyone is diligent about checking signatures of public keys they receive. An attacker could create a spoofed key, sign it with several other identities controlled by the attacker, and hope those signatures are enough to fool the unweary.
Full disclosure is not irresponsible and attempts to frame it as such are bordering on malicious toward the exact community in which you are attempting to engender goodwill.
Software development is hard. Most projects are developed by teams- not single contributors. Consequently, part of reporting bugs is enduring the back and forth of communications with teams. Reporting bugs is not an all-or-nothing game.
However by any reasonable definition [1] it is a meme, being a "unit for carrying cultural [...] practices that can be transmitted [...] through writing [or] speech." Remember that memes existed as a concept long before LOLcats and formulaic GIF images with amusing text macros on the Internets...
[0] http://www.wiretrip.net/p/libwhisker.html
[1] https://en.wikipedia.org/wiki/Memehttps://twitter.com/totally_unknown/status/42899282447475916...
Don't expect to earn easy cash here. :)
"We are using a simple severity ranking scheme: Low - Medium - High - Critical. Rewards range from $100 up to $5000 and are determined at our discretion based on a number of factors. For example, if you find a reflected XSS that is only possible in Opera, and Opera is only 1.64% of our traffic, then the severity and reward will be lower. But a persistent XSS that works in Chrome, at 59.53% of our traffic, will earn a much larger reward."
I especially like that they have 'rules for us' and also they have a section at the bottom which discusses discretionary bounties for their properties not covered in the main list.