Great points made. One obvious vulnerability in a system of "bounties as standard practice" is the temptation to pair up, where one member gets employed and writes hackable code, while the other hacks it. This is what we have long joked (and half suspected) Symantec, McAfee, and other anti-virus software manufacturers of doing--the guy in one room writes the virus, the guy in the next room writes the anti-virus. I am pleased to hear what United did, though.

And as far as punitive damages rewarded to victims of crappy code...hm...it's too juicy the way it is now with all the cat-and-mouse and subsequent embarrassment. I am, however, very upset that every taxpayer living under my roof has received letters from the IRS saying that their website was hacked and all of our social security numbers, tax records, and financial information was stolen. This was obviously because of their negligence, but I'm not allowed to sue or fine them for it. No, instead we have to file everything by paper and snail mail, and to go through additional verification steps with every correspondence. This is because they did us the favor of "flagging" our accounts.