The bigger moral associated with the heartbleed thing was that you need hardass gatekeepers for important software. If you allow people to dump crap into your project then you shouldn't expect anyone to pay attention to it. There is no way in heck that a cryptography library needed a heatbeat function. The LibreSSL project isn't about diversity, it's about removing the crap. Code that doesn't exist can't cause security issues and as a result doesn't need bug bounties.<p>The same idea works for standards. If you don't have a way of resisting the inclusion of requirements in standards then your standard will end up unusable ... and then you <i>have</i> to include all the extra code.<p>In general money makes it harder to do proper gatekeeping. It is hard to resist the commercial needs of the people that are paying the bills. These needs often involve poorly thought out crap.
This post sounds like some advance marketing fluff for a commercial website facilitating rewards for bugs found in open source software, with the backend perhaps adapted from the codebase powering the author's Stack Overflow business.
"allowed attackers to view all traffic to these websites, unencrypted... for two years" - but you needed access to the network or some intermediary node, right?