Bug bounty platforms use NDAs to trade bounty hunter silence for the possibility of a payout. Security researchers report security flaws under NDA and are paid to keep quiet. All organizations need a vulnerability disclosure program (VDP); few need a bug bounty program. HackerOne’s co-founder and CTO Alex Rice defends the practice of providing private bug bounty programs to companies that lack a VDP, citing legal, regulatory, policy and risk management concerns inside customer organizations. A VDP looks like this: Good-faith security researchers tell you your stuff is broken, give you 90 days max to fix it.”]