A couple companies sponsor “the internet bug bounty”: https://www.hackerone.com/internet-bug-bounty

IMHO, sha3 should be part of that bounty.

I'm sorry, we lost millions of dollars due to an exploit.

Don't you have bug bounties to find and fix these things?

But this was in a public standard that we were using, we don't cover those.

Do I look like I care?

Are you telling me this? Or are you going to pay a bounty?

Someone who values security with real money