I'm asking: why would you make a bounty conditional on "access" at all? What's the win? A bug is a bug. If it has the potential for access, it's worth the bounty. All a demonstrated access requirement does is encourage strangers to violate the privacy of your customers. It seems like an incredibly reckless idea.
Bounty programs are very noisy. I don't even have a bug bounty program, and have several messages from confused people in my inbox asking about one. The "bugs" they propose are not bugs in my programs---for example, one reports that data can be uploaded to a collaboration system, downloaded, and then executed in a user-provided interpreter---and that this interpreter may surprise the user with its behavior.
Any better ideas of how to structure a bounty to get bugs and not confused users?
Saying something is theoretically possible with automated vulnerability scanners (which have incredibly high type 1 error due to out of date headers due to lazy programmers and misconfigured webservers) and showing that it's actually possible are completely different things. A whitehat proving he can get user access or MITMing data they created as a proof of concept is completely benign. I've yet to hear this as the source of a leak of customer data.
