Reward Yesh for responsible disclosure — CIQ first-ever bug bounty
Situation
When Yesh (pentestine@gmail.com) reported a ciq.com vulnerability on 5/21 via email, Peter responded within minutes to Steve Wallace and Bjorn: I would like us to reward here to encourage this behavior. He immediately forwarded the bug detail to Justin Haynes for the fix and aligned with Steve on severity. The reward is still pending execution as of 5/26 — this is the first bug bounty CIQ has ever paid.
Reasoning
Three threads. (1) White-hat disclosure is exactly the behavior CIQ needs as security posture surfaces — the same week the QBR named cloud security as a structural gap and TJ/CeeLo were spinning up supply-chain hardening. Rewarding it incentivizes more of it. (2) The good-actor framing matters — Peter is rewarding the posture as much as the find. (3) Establishing precedent: this is CIQs first bug bounty payout. The shape it takes will set the company norm for how future disclosures get handled, what the reward range looks like, and how fast leadership responds.
Additional Context
Same week the QBR explicitly flagged cloud security as reactive and minimal across six clouds, with a likely new security hire need (Steve writing JD). TJ and CeeLo proactively spinning up supply-chain hardening on GitHub workflows + NPM. The Yesh response is consistent with that posture but goes one step further by paying outside researchers.
Observed Evidence
Direct quote of intent within minutes of disclosure email; immediate forward to Justin for fix; alignment with Steve same-day.
Matching Patterns
Confidence Breakdown
Reasoning Depth Analysis
Related Context
This is well done on his part, both technically and from a good-actor perspective. I would like us to reward here to encourage this behavior.
Outcome
No outcome recorded yet.
Decision ID: 871e94cb-f2c4-4883-826a-a0abc1ee4064