As I just mentioned in the draft of governance IBB pays out for libcurl vulnerabilities. So there are multiple programs and it may benefit the reporter to go with one program over the other. For example they paid $1k for duphandle read out of bounds.

I don't think we can speak for other programs in which we have no say or influence. What do you think we should say about IBB? Mention that it exists (which we already do the in SECURITY-PROCESS doc) or state that we won't pay reward money for vulnerabilities already paid for by other bug bounties?

I don't think we should add "not getting paid by another bounty program" as a requirement. First, it makes it really hard to keep track of and secondly, a flaw is a flaw to us no matter if another program will pay for it or not and to the same extent. A reported security flaw that fulfills our requirement may be eligible for a bounty I think.

IBB has a requirement for paying a bounty that the reported flaw has to "be novel: vulnerability is new or unusual in an interesting way" - which we certyinly don't have as a requirement.

Fair enough. This reminds me for readability I propose let's stop putting [ci skip] in the subject of commit messages and instead put it on its own line at the end of the body.

I was going to say that I thought one of those systems required the skip to be on that line. But now when I look it appears like both travis and appveyor still built this commit so it was a failure in several ways... :-/