
On bounties and buffins - mathattack
https://blog.trailofbits.com/2019/01/14/on-bounties-and-boffins/
======
munin
What's hard to get from this is a sense of quality. For one, professionals
have a hard time nailing down what a "quality bug" is - if given a few
different bugs and told to rank them, you could probably come up with some
ranking of your own, but it would probably be different from your coworkers,
bosses, customers, etc. So that sucks. However there are also reported
findings that most people could agree are low to no value. How much of those
show up in bounty programs vs. internal finds or commissioned audits? Of the
people at the top of the distribution, how many of them are reporting many
high quality finds, or spray-and-pray with lots of chaff? Are there "diamonds
in the rough" near the bottom that only get out one or two a year but they are
high quality? Is that an indicator that if those reporters could be given full
time jobs doing audits, their productivity would rise?

