I'm just saying they've got a bug bounty program but not a bug prevention bounty program, or even a fix a known bug bounty program. The security team has a budget for the realized risks but predictably not for managing unrealized risk in the open source community which they depend on.

> a bug prevention bounty program

Particularly for a dep they've chosen to ship in their browser.