Discretionary bounty offered for Yeshs vulnerability disclosure — case-by-case mode, no formal program
Situation
Yesh privately disclosed a vulnerability in ciq.com on 5/19. Peter forwarded to Greg/Bjorn asking if CIQ has paid bounties before. By 5/21 Peter emailed Steve+Bjorn endorsing reward: This is well done on his part, both technically and from a good-actor perspective. I would like us to reward here to encourage this behavior. Steve drafted a response: We do not currently operate a formal public bug bounty program, but would like to offer a discretionary reward for your efforts once validation is complete. Peter explicitly endorsed via DM (Yup!). Peter separately forwarded the disclosure to Justin to fix. Bjorn aligned on the wording earlier. Steve owns the response thread; Justin owns the fix; Bjorn owns sign-off; precedent-setting case for future disclosures.
Reasoning
Explicit driver: behavior reinforcement — Peters own words were encourage this behavior. Discretionary bounty without a public program signals to this researcher and (via reputation) future researchers that disclosure to CIQ pays off, without the operational tax of a public program (obligation + low-quality inbound flood). Same shape as Peters instinct to avoid formal mentorship programs and other formal-with-overhead structures: informal-with-judgment beats formal-with-overhead at CIQ size. Separation of concerns intentional: pay the discloser AND fix the bug in parallel, neither blocking the other. Bjorn looped in early to prevent later who-approved-this conversation — COO hat owns reward as both expense and customer-trust signaling. The 5/19 → 5/21 lag (asked Greg/Bjorn first, acted 5/21) shows Peter checking precedent before setting one.
Additional Context
Same week as cloud security engineer JD decision (D9) and TJ/CeeLo running supply-chain hardening projects (GitHub workflow SHA pinning, NPM package securing). Security posture is having its moment broadly; rewarding the disclosure is the consistent move within that broader stance.
Observed Evidence
Direct email quote of Peters encourage-this-behavior framing. Steve DM thread with explicit Yup endorsement. Parallel forward to Justin for the fix. Multi-day check-precedent-then-act sequence (5/19 ask Greg/Bjorn → 5/21 act).
Matching Patterns
Confidence Breakdown
Reasoning Depth Analysis
People Involved
Source
reflection
AI Confidence
71%
Related Context
This is well done on his part, both technically and from a good-actor perspective. I would like us to reward here to encourage this behavior.
slack
Steve: Assume the answer is yes... include this in my reply to Yesh: We do not currently operate a formal public bug bounty program, but would like to offer a discretionary reward for your efforts once validation is complete. Peter: Yup!
Justin, See below. And please fix. :) - Peter
Have we paid bounties on things like this before?
Outcome
No outcome recorded yet.
Decision ID: 9a1ac7cf-2c71-4332-ac8a-1dd9cc9eb284