"In the days following no less than 4 lawyers told me in various ways that the agreement was not only extremely risky, but was likely crafted in bad faith to silence anyone that signed it."
The whole article sounds like a mishmash of incompetence, being unprepared, and having a legal team not really interested in having a robust or even good bounty program. Basically a bounty program driven by Marketing and/or Legal to be able to say "we take bugs seriously" rather than by Engineering with an interest in actually getting problems resolved.
It's almost as if they decided to do this without remembering to tell their lawyers what a Bug Bounty program is.
Every time I read a story about a company bumbling their way through some obviously poorly conceived PR problem (see also: Logitech's recent announcement that they'll be bricking one of their products), I think to myself, "What on earth was that meeting like?" You know, the meeting where they are supposed to plan what to say, how to say it, what actions to take when, what contingency plans, etc. Those things that grown-up companies do when they interact with their customers or the public. I mean, was it really as incompetent as, "I know, let's offer a bug bounty, and then threaten legal action against people who participate! That will surely help our image!" Was there not one person around that conference room who thought to raise their hand and say, "Now hang on a minute--we might not be thinking this through..."
The road to hell is paved in good intentions. If I had to guess, a well meaning and experienced engineer or engineering leader proposed launching a legit bug bounty program. Maybe they pitched the idea to their boss, showing them hackerone or bugcrowd as an example. Everyone thought it was a good idea, but the further the concept shifted along in development and away from the original engineer, the less people understood what a bug bounty program actually is. By the time it gets through legal, and marketing, and the executive team, it turns into a downside protection effort rather than quality/security improvement effort. I have to imagine this is pretty common in large organizations that keep their departments siloed off from one another, reducing collaboration.
I think it's more probable that they had the right intentions in the beginning, but then realized how much money these vulnerabilities might cost to fix because they had no easy way to resolve them without recalls. So rather than fix the issues and lose millions of dollars they just tried to hide the them.
What you are seeing is a sort of 'tip of the iceberg' sort of phenomena. It is one of the multitude of consequences of in-person human interaction. Half-said half-understood notions, half of statements spoken being nothing more than jockeying for social status, precise language looked down upon as too severe so adapted into vague statements that people don't ask for clarification of for fear of looking stupid. Tall people and charismatic people most often getting their way. Introverts with factual points to raise demur and go unheard. Things drag on until someone with a forceful personality drive forward an idea through sheer dominance and beats aside any opposition.
And then you get a public action that looks nonsensical. Because the process that formed it was in every way NOT optimized to produce the objectively correct action. In-person interaction is a cancer on the workplace and always has been, though it was far less visible in workplaces where the majority of people were standing on an assembly line putting together the same widget every single day without thinking. In todays world, where mental work is the primary economic activity, it is unavoidable and tremendously destructive. We will look back with amazement on how long we permitted this to linger on for no reason other than the fear the management class has of being made irrelevant by the tools that coordinate and facilitate radically better coworker interaction and the fear of those with forceful personalities of being caught with their pants down when tested on their merits (not that they necessarily will fail on those merits, but personal fears like that are rarely well-founded or rational).
Get the „carismatic“ marketing and economy idiots out of businesses and build more intovert-engineer-founded companies :)
Even google was great back in times when they were less economist and marketing expert driven...
Sufficiently advanced incompetence is indistinguishable from actual malice.
I'm still willing to accept that the root cause is often not actual malice, but I don't actually care if the damage is done because somebody wanted to inflict it or just ignored all warnings and forged ahead, no matter the cost. The damage done to others is the same.
In technical fields (notably very much not including anything involving a computer or software) there is also 'criminal negligence'. In things like construction, if the executives ignore and disempower the engineers and put business goals ahead of things like structural integrity or safety of the public, those executives go to prison. I'm not sure how much longer that will remain absent from anything computer-related but thus far companies can straight up kill people out of bold aggressive negligence of this sort and the courts just shrug their shoulders. We saw that with Toyota and their "unintended acceleration" killings. Multiple bodies, but when charged with criminal negligence, the courts basically said 'its computers, nobody knows how they work.'
It didn't matter that Toyota lied and claimed their cars computers used error correcting RAM but they cheaped out and saved a fraction of a cent on each car by using non-error-correcting RAM. It didn't matter that their developers didn't even have access to a bug tracker. It didn't matter that they didn't have access to static analysis tools (which when used on the code afterward found the problem instantly). It didn't matter that the automotive industry has 90+ practices recognized as "required" or "recommended" and Toyotas code followed only 4 of them.
There is literally no degree of negligence which is great enough to cause a court (in the US anyway) to judge a corporation as having been criminally negligent if a computer or software is involved. And it's reflected in the established business practices of most companies. They hire the cheapest "labor" they can find, deprive them of the tools and work environment needed to do their job competently, ignore any warnings about safety, security, correctness, or other technical issues in deference to business goals, etc.
And it'll be the worst of the worst who gets a fully autonomous car on the market and careening down your street first. And when it hits your car or (hopefully not) your kid - the company will skate away absolutely unscathed.
Criminal negligence is, indeed, rare in the courts. However, in civil cases there's still regular old negligence, gross negligence, and in some states, "active negligence," not to mention all the other causes of action which can put punitive damages on the table.
Theres one more option beside malice and stupidity: ignorance.
It might count as stupidity, though, to have no clues about things and be so ignorant about it that you are not willing to do anything or listen to anybody that could change this cluelessness... ;)
The whole article sounds like a mishmash of incompetence, being unprepared, and having a legal team not really interested in having a robust or even good bounty program. Basically a bounty program driven by Marketing and/or Legal to be able to say "we take bugs seriously" rather than by Engineering with an interest in actually getting problems resolved.