I felt like if there is a company culture where everyone understands that security vulnerabilities can be costly then there wouldn't even be a discussion about security researchers being entitled, there would be a good bug bounty program in place from the get go. Maybe my logic is flawed but to me no bug bounty program says we really don't care enough about this and it's not a big priority, we'll just let/hope people do the right thing and report problems because that's how big internet companies do things in 2013.
That's how I see things from the outside, I don't have any inside information and it could very well turn out they have most of their staff working on software testing and security.
That's how I see things from the outside, I don't have any inside information and it could very well turn out they have most of their staff working on software testing and security.