Discretionary bounty offered for Yeshs vulnerability disclosure — case-by-case mode, no formal program

May 21, 2026 at 10:32 PMoperationalmedium

Situation

Yesh privately disclosed a vulnerability in ciq.com on 5/19. Peter forwarded to Greg/Bjorn asking if CIQ has paid bounties before. By 5/21 Peter emailed Steve+Bjorn endorsing reward: This is well done on his part, both technically and from a good-actor perspective. I would like us to reward here to encourage this behavior. Steve drafted a response: We do not currently operate a formal public bug bounty program, but would like to offer a discretionary reward for your efforts once validation is complete. Peter explicitly endorsed via DM (Yup!). Peter separately forwarded the disclosure to Justin to fix. Bjorn aligned on the wording earlier. Steve owns the response thread; Justin owns the fix; Bjorn owns sign-off; precedent-setting case for future disclosures.

Reasoning

Explicit driver: behavior reinforcement — Peters own words were encourage this behavior. Discretionary bounty without a public program signals to this researcher and (via reputation) future researchers that disclosure to CIQ pays off, without the operational tax of a public program (obligation + low-quality inbound flood). Same shape as Peters instinct to avoid formal mentorship programs and other formal-with-overhead structures: informal-with-judgment beats formal-with-overhead at CIQ size. Separation of concerns intentional: pay the discloser AND fix the bug in parallel, neither blocking the other. Bjorn looped in early to prevent later who-approved-this conversation — COO hat owns reward as both expense and customer-trust signaling. The 5/19 → 5/21 lag (asked Greg/Bjorn first, acted 5/21) shows Peter checking precedent before setting one.

Additional Context

Same week as cloud security engineer JD decision (D9) and TJ/CeeLo running supply-chain hardening projects (GitHub workflow SHA pinning, NPM package securing). Security posture is having its moment broadly; rewarding the disclosure is the consistent move within that broader stance.

Observed Evidence

Direct email quote of Peters encourage-this-behavior framing. Steve DM thread with explicit Yup endorsement. Parallel forward to Justin for the fix. Multi-day check-precedent-then-act sequence (5/19 ask Greg/Bjorn → 5/21 act).

Matching Patterns

17%
Strategic Alignment for Rewards(reward reinforces strategic behavior)

Confidence Breakdown

32/35
Evidence
10/30
Pattern
19/20
Source
10/15
Corroboration

Reasoning Depth Analysis

Org Signal:Good-actor security disclosure is rewarded at CIQ via case-by-case discretionary track. No formal program — informal-with-judgment is the chosen mode.
Who Affected:Steve (response thread owner), Justin (fix owner), Bjorn (sign-off authority), all future would-be security disclosers (the precedent this sets).
Precedent:First bounty decision on record. Sets the case-by-case discretionary mode as the CIQ posture. Future disclosures will reference this as the template. Implicit ceiling is whatever Peter authorizes here.
Consequences:Small dollar (likely four-figure reward). Bigger consequence is the reputation effect with the security-researcher community over time.
Timing:Same week as D9 (cloud security engineer JD) and TJ/CeeLo supply-chain projects. Security posture is being actively strengthened; rewarding this disclosure is consistent with that stance.

Source

reflection

AI Confidence

71%

Related Context

📧
Re: I found a bug (Vulnerability) in ciq.com — Peter to Steve+Bjorn 5/21 8:39am

email

This is well done on his part, both technically and from a good-actor perspective. I would like us to reward here to encourage this behavior.

💬
Peter to Steve DM 5/21 12:20pm — endorse reply wording

slack

Steve: Assume the answer is yes... include this in my reply to Yesh: We do not currently operate a formal public bug bounty program, but would like to offer a discretionary reward for your efforts once validation is complete. Peter: Yup!

📧
Fwd to Justin 5/21 8:40am

email

Justin, See below. And please fix. :) - Peter

📧
Initial fwd to Greg+Bjorn 5/19 2:39pm

email

Have we paid bounties on things like this before?

Outcome

No outcome recorded yet.

Decision ID: 9a1ac7cf-2c71-4332-ac8a-1dd9cc9eb284