Some of them are fairly interesting and not just simple exploits, for example Coinbase prices BTC based on a third party exchange and due to the way that they fetch the pricing it was possible to manipulate the price down to below market levels and make a bunch of money, they paid out 5 BTC for that and it's on the bug bounty page, although it's not a "security" issue per-se. Probable that some of their others are similar in nature.
Isn't security is under one of those "things you can fix later" startup problems these days?
As far as I can tell, it goes: hype to serve growth to create a fad to exponentiate your user base to get you more funding to ... then start considering fundamental problems of architecture and security.
All startup writing focuses on growth at all costs by manipulating pleasant surface experience. The current model of "just keep iterating until users stick" is also: know as little as possible and keep changing things until you generate a random key to the lock of your market. That model of company building is in opposition to security and stability.
Just keep paying 21 year olds 150k salary+100k bonus to make rails apps. It'll all work out in the end.
Isn't security is under one of those "things you can fix later"...
The problem is that the saying is: make it work, make it good, make it fast. Most programmers stop after the first step. "Make it secure" is not even an afterthought, and generally you only think about it after being bitten.
To be honest, "make it work" can be hard in itself. How do I justify spending four hours to add an issue and fifty to go through the other steps? I can imagine telling my boss "oh yeah, I added the feature two days ago, then I cleaned up the design, now I'm optimizing it and then I'll think of ways in which it can be exploited".
On the one hand: kudos for running an effective bug bounty program. That's an impressive amount of community engagement.
On the other: this is just one Rails app, right?