Security by PR
Why am i not surprised that you need to tell businesses to hire sec people to implement and if worth salt catch before publishing the most braindead of blunders at least??
Bug bounties have always seemed as much an offshoring excercise wrapped up in PR/community outreach as anything to do with real security for the vast majority of examples, sure you have the argument that it provides an alternative to selling on hacker hangouts, but i sriously doubt the integrity of the "researcher" if that was viable course of action for them.
Or is it just managment getting booted into idiot mode and failing to follow the metaphors, because computers, As i doubt any of them would struggle with the concept of having a perimeter fence being patrolled, inspected and maintained by people on the inside, and not only relying on people on the outside alerting to them of any holes in their fence...
Biting the hand that feeds IT
