> However this way you will focus on fixing only real world attacks. Still, it's somewhat a shameful thing to put vulnerable applications on production and rely solely on bug hunters to find bugs before attackers. Shameful because of the disrespect with customer data and your own data / reputation. In the end it's still insecure. Bug hunters should only be considered "an extra help" and nothing else.<p>Shameful? Sure, if you know about the vulnerabilities. But in most case they're honest human mistakes that make it out to production or because we've failed to educate people on properly securing their web apps and properties in general. And that sucks. And sometimes these bugs live on for years. But calling it shameful is rather harsh and it doesn't improve any of it either. If anything it makes people feel crappy over it.