In the blog post, Daniel does discuss why that is a heavy handed approach:
People mention charging a fee for the right to submit a security vulnerability (that could be paid back if a proper report). That would probably slow them down significantly sure, but it seems like a rather hostile way for an Open Source project that aims to be as open and available as possible. Not to mention that we don’t have any current infrastructure setup for this – and neither does HackerOne. And managing money is painful.
If only there were an internet programmable money layer….
Really, this is a simple program that could be written on any number of decentralized financial networks. No custodian of the money is required.
It’s a shame everyone rolls their eyes when you mention a programmable money solution tho. Crypto bros really fucked themselves there with all the grifting
I read that as including human interaction as part of the pain point. They already offer bounties, so they’re doing some money management as it is, but the human element becomes very different when you want up-front money from EVERYONE. When an actual human’s report is rejected, that human will resent getting ‘robbed’. It is much easier to get people to goof around for free than to charge THEM to do work for YOU. You might offer a refund on the charge later, but you’ll lose a ton of testers as soon as they have to pay.
That said, the blog’s link to sample AI slop bugs immediately showed how much time humans are being forced to waste on bad reports. I’d burn out fast if I had to examine and reply about all those bogus reports.
Add a submission fee that gets refunded as part of the bounty payout, or if the reviewer otherwise judges the submission as obviously legitimate.
Donate all fee proceeds to charity, if you want to counter the any incentive to deny submissions for financial gain.
In the blog post, Daniel does discuss why that is a heavy handed approach:
If only there were an internet programmable money layer….
Really, this is a simple program that could be written on any number of decentralized financial networks. No custodian of the money is required.
It’s a shame everyone rolls their eyes when you mention a programmable money solution tho. Crypto bros really fucked themselves there with all the grifting
I read that as including human interaction as part of the pain point. They already offer bounties, so they’re doing some money management as it is, but the human element becomes very different when you want up-front money from EVERYONE. When an actual human’s report is rejected, that human will resent getting ‘robbed’. It is much easier to get people to goof around for free than to charge THEM to do work for YOU. You might offer a refund on the charge later, but you’ll lose a ton of testers as soon as they have to pay.
That said, the blog’s link to sample AI slop bugs immediately showed how much time humans are being forced to waste on bad reports. I’d burn out fast if I had to examine and reply about all those bogus reports.
Oh that is a surprisingly good idea actually.