really big bounties would then be appropriate, as they would come with NDAs. Small bounties would just encourage others to make them public / sell them to more malicious actors.
What if multiple people discover the same vulnerability. What do you do?
Do you pay out to all of them? Do you make them sign an NDA without guaranteeing you'll pay them? Do you tell the 2nd etc discoverers to go away and hope they don't reveal it?
If you pay out to all of them, there's a strong incentive to leak info and collect multiple bounties for the same vulnerability.
