Bounties can be counterproductive. I've experienced test environments where paying a prize to the most prolific bug reporter discouraged participation; some testers, who had assisted believing it was a worthy thing to do, declined to participate when offered the chance of winning a £50 book token. A lot of bugs are quietly reported by hackers and crackers in order to gain recognition by their peers -- or some publicity for their computer consultancies. The problem is creating an environment in which bugs can be reported without fear of investigation for doing the right thing. Secondary to that is confidence that the problem will be addressed. But you are absolutely spot on that UK government does not have a clue how to respond to bug reports. Apart from big orgs like Google and Facebook, or small development teams, who does have a response mechanism for bug reporting?