Monetary incentive isn't the problem. The problem is offering bounties without requiring submitters paying a protection free: If a bounty is granted, this bounty easily compensates the fee. If the bounty is rejected, the fee is split 80:20 between maintainer who evaluated the submission and platform.
Not much difference for serious submitters. Tiny compensation for maintainers. Huge barrier for fraudsters.
@GossiTheDog I really hope moving off H1 helps reduce headaches, but any high-visibility bug bounty program has the same issues now. Even programs outside major BB platforms are struggling with high volume of lower quality reports (both by humans and AI).
maybe you can create a lower tier of bounty ("hey, curl can access file://, isn't that dangerous somehow?!") where reviewers are a wider circle, but the reward is primarily a t-shirt "I found an exploit in cURL and all I got was this lousy t-shirt" for the submitter and reviewer. And an AI one where, if someone can show *reproducibly* how they can effectively use AI to screen code for weaknesses, they get a good reward (set a false positive threshold to qualify).
Mathias Hasselmann
in reply to daniel:// stenberg:// • • •Monetary incentive isn't the problem. The problem is offering bounties without requiring submitters paying a protection free: If a bounty is granted, this bounty easily compensates the fee. If the bounty is rejected, the fee is split 80:20 between maintainer who evaluated the submission and platform.
Not much difference for serious submitters. Tiny compensation for maintainers. Huge barrier for fraudsters.
niallor
in reply to daniel:// stenberg:// • • •daniel:// stenberg://
Unknown parent • • •Apollo
in reply to daniel:// stenberg:// • • •daniel:// stenberg://
in reply to Apollo • • •Apollo
in reply to daniel:// stenberg:// • • •Alesandro Ortiz 🇵🇷🏳️🌈
in reply to daniel:// stenberg:// • • •四
in reply to daniel:// stenberg:// • • •ang_mo_uncle
in reply to daniel:// stenberg:// • • •And an AI one where, if someone can show *reproducibly* how they can effectively use AI to screen code for weaknesses, they get a good reward (set a false positive threshold to qualify).