It would be common sense to pay a bounty. Similar to the reward you should get if you find somebody's wallet. If you are known for not paying a bounty (a finder reward) some people will not tell you your security holes (will not give you back your wallet).

On the long run this will be more expensive than the bounty. But the problem might be that if the would pay a bounty, they would admit that the screwed it, what their lawyers would like to prevent.

I would absolutely never expect or even accept a reward for a lost wallet. It's our duty as a member of a civilized society to not steal.

If a wallet finder failed to give me my wallet back, I'd just call the police.

The options aren't just returning it or stealing it, they can simply leave it where it is to avoid the hassle of having to return it. Hence why having a custom of paying a reward might be beneficial for wallet losers in general.

I'd like to feel like people would be ethically and morally motivated to make efforts to do the right thing rather than expect to be rewarded for doing the right thing. Perhaps it is how I was raised, but it seems weird to me that I would turn in a lost wallet with expectation to get something back out of it. This so-called "custom" is not my custom. It actually seems very childish, where one is still in the phase of learning the importance of taking care of their neighbor.

Sure, but if I had heard several news reports of people finding and returning wallets being falsely accused of theft and subjected to serious legal threats, at that point if I saw someone's wallet lying around, I would just ignore it and keep going.

The bug bounty isn't only about the money. It's also the company's way of advertising 'we aren't crazy assholes like those outfits you heard about on the news'.

(Yes, fixing the law would be a good idea. But in the meantime, a bug bounty is the solution.)

It's a bit far stretched but: You can expect people to be ethically and morally motivated or you can apply security patches to your servers.

I think I'm bikeshedding; the whole "finder's fee" nonsense bugged me. The analogy between lost wallets and servers doesn't actually hold. One can have thieves and indifference in both worlds, but the natures of the exposed items and victims are different. It is more acceptable to people -- though not any more right -- to figure that a faceless multi-million dollar corp can absorb a tiny theft/hit, but it is harder to allow pain to a relatable fellow human being. (...unless, of course, one is affected by bystander effect or pressured by authority)

Hassle free return, drop it in a mailbox. Leaving it is an option, but the custom of returning things to their owner exists because one good deed begets another.

I lost my wallet once and someone turned it into a nearby business, but with all the cash taken out.

Not sure if the finder or the business took the cash but I guess they got their own reward. Not what I would do, but I'm glad they didn't take the cash and trash the wallet..

Don't feel too bad. Could have been a thief at first that just left it on the sidewalk.

The interesting question is "Would you pay a reward to a finder (~10%)?".

I would not. It's an insult.

You should never expect a reward.

You should always give one. Claiming it's an "insult" to thank someone for going out of their way to do something they didn't have to do (v. doing nothing or throwing the wallet out) sounds like an easy excuse to be cheap.

If you need any reward to do what's right you might need to search within yourself what kind of person you really want to be.

Then you are a cheap skate on the cost of other wallet loosers.

OP here. I knew the bank wouldn't pay. But I wanted to initiate a discussion with the bank so they know that paying bounty for disclosures is a thing.

Nice work OP.

You gave them a tech analysis that should be worth some money, for free, at the same time (hopefully) bringing to their attention how bounty programs are a helpful thing for everyone. They should be feeling very lucky about it.

However, the thing that worries me with these things is that, what if some "bad guys" already knew about this and exploiting it and now that the bank is aware and might close the hole, makes them angry and looking for retaliation?

Hopefully you are taking precautions to be anonymous, but I know that where I live if I were to pull a stunt like that I would seriously consider watching my back for a while.

Sad world we live in :( so take care OP.

He is in Sweden. So definitely safer than being in India :-) Adding to that, I don't think bad guys from the computer world would go to great lengths to harm someone from physical world.

> Switzerland

I see what you did there.

Ahhh.... yes... damn. Didn't do it on purpose. Sorry about that 0x424242. I am always getting those two mixed up, even in my mother tongue.

:(

I guess the point still stands as I originally intended it though. Again.. sorry for the confusion. Even though I know my geography reasonably well, my mind brings the word and my mouth or fingers say something else.

This never gets old.

The value of the write-up is a reward at least.

If the bank doesn't have a disclosure/bounty program, you can easily end up getting yourself arrested.

Probably from goodwill. Sadly the bank couldn't afford it, they can afford getting stolen from anyway. The bank always wins.

Don't think of it as a bounty. Think of it as payment for services rendered.