There has been a lot of publicity surrounding 'bug bounty' programs that pay out seemingly large rewards for finding vulnerabilities in web applications. This trend has increased over the years as crowdsourced security programs have matured since their inception almost 10 years ago and their adoption has become mainstream. Should we pay out large sums of money for fixing the symptoms and not the cause?
For example, Zoom has recently increased their maximum pay-outs for vulnerabilities to $50,000 as part of their crowdsourced security program (See Figure 1 below). Such lofty . . .