In article <C20C9BA2-549D-4326-B77E-D8E6A2DE7511@xxxxxxxxxx> you write: > > * Whether or not this statement should be supplemented with a "bug bounty" program. > >In my experience (several years running openssl.org), bug bounties for websites are not worthwhile. Agreed. They can be counterproductive and lead to silly situations of "I won't tell you unless you pay me first because I don't trust you to pay later." R's, John
