Other companies, including Facebook and Microsoft, have third-party bug-squashing programs, though they can get tricky. This month, Facebook accused a security researcher of overstepping his boundaries as he dug deep into Instagram's code and walked away with the digital keys to the city. Another company, Zerodium, offered $1 million for iOS 9 zero-day exploits in a controversial and irresponsible publicity stunt.

Tor recently hired former Electronic Frontier Foundation head Shari Steele as its executive director and she's pledged to expand Tor into the mainstream. Hosting a public bounty for hunting bugs is a solid step in that direction, as long as Tor avoids the associated traps.