This is what happened. Tesla security received tons of bug reports that required root access to identify, yet they got a vanishingly small number of root vulnerability reports. This policy fixes that misincentive.