@PhilipGrove – Thank you for spending the time to address everyone’s concerns.
I’d like to ask a follow-up question about the Private vs. Public Bug Bounty program.
I understand the benefits of public vs. private, and I understand why a public program is a planned prerequisite for A4A qualification.
However, what is the benefit of requiring all programs to be public? Why not continue to offer private bounty programs that simply aren’t eligible for A4A status?
There is a lot of concern about queues becoming overwhelmed by public bounty programs. In this thread, Atlassian has basically responded with “it won’t be that bad.” (I’m paraphrasing.)
But the “Making your Bug Bounty Program Public” page that you linked to in the RFC begs to differ:
So, my question is why isn’t Atlassian continuing to provide private bounty programs as a stepping-stone towards a public program?
I feel like this is an example of how the new A4A program is going to incentivize the largest vendors to invest in the exclusive badge, while disincentivizing everyone else from making much of an investment at all.