a third-party entrepeneur can offer to back promising reporters.
Libertarians like to suggest this sort of thing a lot, and it usually doesn’t work. If you’re dealing with thousands of dollars, the third party enterpeneur has overhead for such things as lawyers and advertising. It would suck to do it and be arrested for money laundering, or be stuck with bad contracts, or be told that your rejected bugs violate a disparate impact rule. He’d have to make a profit after taxes, and he would have to make a profit compared to other uses of the money, not just compared to doing nothing. And OpenSSL could end the program, change the size of the bounty, or add conditions like “no third party” at any time, leaving the third party having spent on overhead and gaining nothing. (Or should the third party contract with a fourth party for insurance against OpenSSL doing this?)
In fact, they could announce that if they reject your bug, you have official license to sell it to third parties.
The official license won’t exempt OpenSSL from liability for publishing the bug and having party B use it to cause harm to party C—party C didn’t grant any permission.
Libertarians like to suggest this sort of thing a lot, and it usually doesn’t work. If you’re dealing with thousands of dollars, the third party enterpeneur has overhead for such things as lawyers and advertising. It would suck to do it and be arrested for money laundering, or be stuck with bad contracts, or be told that your rejected bugs violate a disparate impact rule. He’d have to make a profit after taxes, and he would have to make a profit compared to other uses of the money, not just compared to doing nothing. And OpenSSL could end the program, change the size of the bounty, or add conditions like “no third party” at any time, leaving the third party having spent on overhead and gaining nothing. (Or should the third party contract with a fourth party for insurance against OpenSSL doing this?)
The official license won’t exempt OpenSSL from liability for publishing the bug and having party B use it to cause harm to party C—party C didn’t grant any permission.