> Then think about how much a security audit would cost.
This is why some customers require various security certifications. Too bad the certifications often focus on whether your employees have three groups of characters in their passwords instead of an actual security audit with penetration testing.
My point being, how to make people want a proper audit and how to commuicate you had one. From another point of view, how do you justify the cost without including the risk of being hacked? Because even in this instance, they were (probably) not hacked, and your reward was likely lower than an audit would cost.
You put up a decent sized bug bounty. Whether or not the bounty is claimed, it shows your company either has good security, or is prepared to put a lot of resources into making it good.
This is why some customers require various security certifications. Too bad the certifications often focus on whether your employees have three groups of characters in their passwords instead of an actual security audit with penetration testing.
My point being, how to make people want a proper audit and how to commuicate you had one. From another point of view, how do you justify the cost without including the risk of being hacked? Because even in this instance, they were (probably) not hacked, and your reward was likely lower than an audit would cost.