I’m starting to feel that bounties for security vulnerabilities for OSS were a mistake. They attract the “wrong” kind of actors that have no interest in improving OSS, but they are in it only for the money.