I read our bug bounty[1] recently, and I have a "haha, but serious" observation:
I think the current bug bounty gives a significant financial incentive to _delay_ reporting a bug until it makes it into a beta/GA release ($2.5k vs $10k for critical core bugs). I'm sure this wasn't the intended outcome.
Maybe we should arrange the "peak" reward where we want to focus bug hunting: *right before release/GA*.
Specifically, I suggest we *decrease* (slightly) the relative reward for GA core compared to beta core. Also, I suggest we offer maximum reward for (eg) the last 3 weeks of code freeze leading up to a release, and less for actual released bugs.
I appreciate that we can't pay out maximum reward as soon as the bug lands in git/alpha, because that's too open to abuse and collusion. Also my above beta vs GA suggestion assumes that we don't introduce new bugs in the transition from beta->GA, and aiui it is common to make changes beyond just the apiVersion during that transition.
--
- Gus