Originally, bug bounty programs were helpful to improve security for a couple of reasons that had nothing to do with payouts for vulnerabilities. They provided a clear method to report security issues to developers and they signified that developers were going to address the issues instead of doing something like threatening a lawsuit. Then the security industry saw yet another way to make money, while making security worse. Security providers, including HackerOne, came along telling companies that they needed a bug bounty program and they should pay them to manage it. That led to an unnecessary third-party being involved in the process and having companies that were not interested in fixing issues seeming as if they did. The results haven’t been good.
One of the problems with this process, as we previously noted with the programs from WordPress and Automattic, which are handled by HackerOne, is that they create a situation where there isn’t a method to report many security issues. This is something we have tried to address with WordPress, with no success. [Read more]