In the case of CSE, it does possess what's called a vulnerabilities equities program. This is a way by which CSE determines whether it will disclose or retain vulnerabilities that it identifies. It's not public. It's not clear how effective it is, and it's not clear what data is or is not presented to manufacturers, so I think it's important to work through that and present it.
Bug bounties are prospectively very helpful. Quite often, people who are doing security research aren't necessarily actually motivated by the money out of it; it's the prestige, and those are effective processes. They're often the later stage of a vulnerabilities disclosure program that's developed.
I would note that one of the concerns pertaining to the Australian legislation is that, reading through it, there's the prospect that the Australian government may be able to go to companies and say, “We want to know all the bugs that you know exist in your software but have not yet been patched”, in order to run policing or national security investigations. That's a serious concern, because if that is the way the government chooses to read its legislation—and it is suggested that it is how they will do it—it means that bug bounties and vulnerability disclosure programs can actually be used to channel data that is then used by other states, with the risk being that those vulnerabilities might not always be used to the benefit of Canada's interests.