The and-httpd server has a $2,000 "security guarantee" (opens in new tab)

This sort of thing is not new. I think the first one was qmail: http://cr.yp.to/qmail/guarantee.html followed shortly by djbdns: http://cr.yp.to/djbdns/guarantee.html (which was awarded in 2009: http://article.gmane.org/gmane.network.djbdns/13864)

Dovecot also has a similar guarantee: http://dovecot.org/security.html

As does Mozilla: http://www.mozilla.org/security/bug-bounty.html

Even Facebook is in on the game: http://www.facebook.com/whitehat/bounty/

Bug bountying in general of course started with Donald Knuth: http://en.wikipedia.org/wiki/Knuth_reward_check and has recently become moderately popular as a strategy for increasing open-source code quality: http://www.daemonology.net/blog/2011-09-05-lessons-learned-f...

Here is the latest source for anyone with too much time on their hands: http://www.and.org/and-httpd/0.99.11/

Last update from changelog is 2006-09-10

How did this get to the front page when the last update to the source was 6 years ago?

I wanted to give it a try, had to look for the source (found it on sourceforge) tried to ./configure it requires a Vstr from the same website now need to look for the source ...

It's not like they want you to try it :D

That isn't a guarantee it's a bounty. A guarantee would pay out to all affected customers. Affected probably would mean compromised by an attacker.

That page was last modified in 2006. It must have held up well against attacks or he would be broke by now!

I would look to find the last time the code was worked on, but there isn't even a code repository listed.

Similar to the bounty Dovecot http://dovecot.org/security.html has.