who needs a bug bounty program when a dev can just accidentally deploy a vulnerable package and have their entire system taken down by a sql injection attack within minutes?