But what I really don't get is this bug bounty hateathon. If it's only 3% of bugs (currently WITHOUT incentives like a bug bounty), then that's really not that much money... and in return you get more cred, something you might use for recruitment, and the off chance that you might increase that 3% versus something going on the black market. Even more so, how much could this really cost!? And Oracle has how much money?! If you can't spend that on a bug bounty when you're security is just so awesome as the post contends, then something is really in trouble.
Searching around, it looks like there was at least one vulnerability like this, in which Java failed to check certificates for revocation, and at least one exploit was found in the wild signed with a stolen, revoked certificate that Java still accepted.
This is especially fun because Java at least tries to sandbox unsigned applets, but signed applets get a lot more privileges.
One zero day in 2 years. Not quite the disaster area it's made out to be on HN.
"91% of web exploits are targeting Java"
My point is that Java keeps having security vulnerabilities some of which are exploitable from the web. There's a reason why Oracle keeps releasing patches. Even more important is my main point that the reasoning given against a bug bounty program is idiotic, especially on the backdrop that they do in fact have security vulnerabilities on a regular basis.