In the security wg discussion 2024-04-25, we discussed some of the difficulties managing a security bug bounty program. The discussion centered around differentiating between security features meant to enforce a security boundary, and defense in depth features meant to add additional layers of protection, but do not enforce security boundaries by themselves.

Here is the document we use at Microsoft to make this distinction https://www.microsoft.com/en-us/msrc/windows-security-servicing-criteria

Let me know if you have any questions. We're happy to help out!

Closing this since it's redundant. I replied to a comment in #1255