Re: A little shortsighted
Bug-bounty programs are difficult to structure, manage, and budget for. With large organizations it's extremely difficult to accurately estimate how many unsolicited reports you'll get from outside researchers over a year. The value of a report is difficult to determine: computing metrics such as CVSSv2 or v3 scores is rather subjective, the security sensitivity of the product and exposure to customers has to be taken into account, the development team may claim to have been aware of the issue already, and so on.
Sometimes you get multiple reports from independent reporters. Sometimes reports are simply incorrect, or refer to old product versions which are no longer supported, or only apply to configurations which are specifically documented as insecure.
With a large organization, getting agreement on bounties across all units is difficult. Should all products have similar bounty structures? What about reports for vulnerabilities in public-facing websites? Or in infrastructure? To get any sort of consistency you need clear direction from the C-suite level.
Often a PSRT can quite easily get approval for swag, but getting a bounty program in place can take years of lobbying top executives. You do what you can.
Biting the hand that feeds IT
