I think most non-security people have roughly the same initial reaction as you did; it sounded silly, especially because lots of commercial enterprises have offered "security guarantees" and held "hacking contests" and weaseled at the results.
I know most security people don't care about the guarantee. We try to beat up on DJB's software because it is so hard to find security flaws in it, everyone knows that, and so a finding is a major reputation win. Nobody cares about the $1000; that's significantly less than a day's bill rate for the class of researcher that is likely to find these flaws.
The moral of this story is, don't bother with the guarantee:
(1) You will end up being asked to pay it out, because you are not Daniel J. Bernstein, and you will not write software as solid as qmail.
(2) It isn't going to impress anyone you care about.
(3) It isn't going to motivate hard-core researchers.
I think most non-security people have roughly the same initial reaction as you did; it sounded silly, especially because lots of commercial enterprises have offered "security guarantees" and held "hacking contests" and weaseled at the results.
I know most security people don't care about the guarantee. We try to beat up on DJB's software because it is so hard to find security flaws in it, everyone knows that, and so a finding is a major reputation win. Nobody cares about the $1000; that's significantly less than a day's bill rate for the class of researcher that is likely to find these flaws.
The moral of this story is, don't bother with the guarantee:
(1) You will end up being asked to pay it out, because you are not Daniel J. Bernstein, and you will not write software as solid as qmail.
(2) It isn't going to impress anyone you care about.
(3) It isn't going to motivate hard-core researchers.