I don't wish to put down Mr Prakash's achievements, but is that actually a celebrated figure in India - or at ~£10.6k is the word 'millionaire' just a sensationalism for our benefit?
~£10.6k is an OK figure in India, but depends where you are and what you do.
In an international company, doing UAT type testing and investigation, it would be about average for an assistant manager, but the variance is vast, even between people sitting next to each other.
If that figure is per month, then he's really doing well, pulling in the same as an SVP in an international company managing a team doing a similar role.
Right, he's doing well but it seems odd to say to a predominantly British audience that he's a "multi-millionaire [in rupees]", when actually the implication of that is 'hugely successful, doesn't need to work', rather than 'successfully self-employed/running his own business'.
Congratulations and all the best to him, of course, I just think it's a misleadingly sensationalised subtitle.
Nobody should have to offer bounties. Researchers should not expect to get paid for their unsolicited work.
We probably agree that vulnerability reports should be seen as a positive thing. What software owners should have are policies and procedures for transparently handling vulnerability disclosures. At most, I think having some flexible process should be required as part of a certification (PCI, etc).
I do think that knowledge of a vulnerability and lack of action to fix it in a reasonable amount of time, which results in a breach should be treated more seriously. At the same time, encouraging reports of breaches is hard as it is and introducing more punishment would make everyone want to just keep quiet or as ambiguous as possible. I'm not sure what a good solution to this would be.
Publicly traded companies are required to face fines for negligence, for information leaks, fraud, or other. As are all companies.
If they choose bug bounties to help with this, good for them. If they choose other measures, also good too. They simply need to show they take effort to protect information as dictated by information security laws, or internal policy, whichever is stricter.
Maybe in Euro-land. In the US companies with data breaches are the hapless victims of those nasty hacker types. You wouldn't want to blame the victim would you? Never mind that they have a column of plaintext passwords in a web accessible server.
Just even having a page, with a small bounty, and a secure means of submitting a exploitable bug. If you want to dig deeper, I'd contact professional bug hunters and ask them how to insure that the value on the bug matches the reward.
And if you can't afford to pay a bounty just don't write software right?
Don't you think it's odd your answer to what you are replying to is "I have no idea, ask someone who knows" yet you feel compelled to weigh in on who should not be allowed to write/distribute software?
Unclear why you believe that a major software project would not be able to find a sponsor for a bug bounty; in fact, many major projects already have bug bounty sponsors.
Also, why would it be strange to suggest talking to someone other than myself?
https://news.ycombinator.com/item?id=4316574