Will the incentive for new vulnerability discoveries, the award, or the amount of tokens to be gained, be consistent with the complexity of the vulnerability encountered?
The amount of tokens Secure Planet awards to contributors will vary depending on each individual case.
Two major factors will determine the amount of awarded tokens. They are as follows:
- Popularity of the open source software containing the vulnerability - the higher the usage and/or adoption rate of the open source project, the higher the token amount
- Vulnerability severity ranking - the more critical the vulnerability, the higher the token amount
Who decides whether a discovered vulnerability is severe or not? That's a process that can hardly be judged highly objectively. What does the scale for the ranking look like?