Just here to say that it's gnarly to see my book quoted. A friend just told me about it
I can speak on this subject - Rob Monster was asked if he had a Bug Bounty program, in which he declined to respond. I looked at all of the common places for a BBP to be hosted by Epik, but found no results. Additionally, I did not see results for a Vulnerability Disclosure Program either.
intext:"bug bounty" epik(.)com
intext:"vulnerability disclosure program" epik(.)com
intext:"vdp" epik(.)com
epik(.)com/security(.)txt (404 not found)
intext:"report a vulnerability" epik(.)com
Not exactly sure where he's running a bug bounty program and based on past interactions with him, including asking about SDLC processes and receiving the response of "I don't know what that is", I have little faith in his ability to run a program in a responsible manner.
My presumption would be that he would operate a private program (which is good) however, he would probably self-host it. Considering he doesn't know the first thing about what constitutes a data breach, I won't hesitate to say that his BBP [if he has indeed started one] will be miserable for hackers. If he can't understand basic PCI-DSS and GDPR regulations, how could one expect him to understand complex vulnerabilities?
Not maintaining a basic security point of contact is one of the easiest ways to end up with unpatched vulnerabilities sprayed all over the web. On the "contact" page - there's not even a basic POC listed for a security team - which is likely because they don't have one.