Describe the solution you'd like
In addition to a disclosure policy created in #66, the AO should implement a bug bounty program. Bug bounty programs provide financial rewards to security researchers that properly disclose vulnerabilities, and set up boundaries for the kind of security research that is acceptable. Bug bounties are a tested means of building security communities in the private sector, with programs offered by numerous organizations such as Google, Facebook, Yahoo!, and Microsoft. In the public sector, they are gaining steam too, with recent offerings from the Pentagon, the Army, and the GSA. These bug bounty programs are a common way to motivate the public to come forward with vulnerabilities and to fairly compensate them for any that they discover.
Describe the solution you'd like In addition to a disclosure policy created in #66, the AO should implement a bug bounty program. Bug bounty programs provide financial rewards to security researchers that properly disclose vulnerabilities, and set up boundaries for the kind of security research that is acceptable. Bug bounties are a tested means of building security communities in the private sector, with programs offered by numerous organizations such as Google, Facebook, Yahoo!, and Microsoft. In the public sector, they are gaining steam too, with recent offerings from the Pentagon, the Army, and the GSA. These bug bounty programs are a common way to motivate the public to come forward with vulnerabilities and to fairly compensate them for any that they discover.
Additional context https://free.law/2017/08/09/more-details-on-the-pacer-vulnerability-we-shared-with-the-administrative-office-of-the-courts/