Add a submission fee that gets refunded as part of the bounty payout, or if the reviewer otherwise judges the submission as obviously legitimate.
Donate all fee proceeds to charity, if you want to counter the any incentive to deny submissions for financial gain.
In the blog post, Daniel does discuss why that is a heavy handed approach:
People mention charging a fee for the right to submit a security vulnerability (that could be paid back if a proper report). That would probably slow them down significantly sure, but it seems like a rather hostile way for an Open Source project that aims to be as open and available as possible. Not to mention that we don’t have any current infrastructure setup for this – and neither does HackerOne. And managing money is painful.
managing money is painful
If only there were an internet programmable money layer….
Really, this is a simple program that could be written on any number of decentralized financial networks. No custodian of the money is required.
It’s a shame everyone rolls their eyes when you mention a programmable money solution tho. Crypto bros really fucked themselves there with all the grifting
I read that as including human interaction as part of the pain point. They already offer bounties, so they’re doing some money management as it is, but the human element becomes very different when you want up-front money from EVERYONE. When an actual human’s report is rejected, that human will resent getting ‘robbed’. It is much easier to get people to goof around for free than to charge THEM to do work for YOU. You might offer a refund on the charge later, but you’ll lose a ton of testers as soon as they have to pay.
That said, the blog’s link to sample AI slop bugs immediately showed how much time humans are being forced to waste on bad reports. I’d burn out fast if I had to examine and reply about all those bogus reports.
Oh that is a surprisingly good idea actually.
Paying out money to people who send in bug reports is probably the main problem because it incentivizes them to use AI and send in as many as possible throwing everything against the wall and hoping that something sticks and they get a payout. While this was a good method before AI, now with AI being able to produce reasonable sounding text he needs to stop the money transfer, otherwise they will drown in reports and this number of 5% will get way lower.
Still this seems like a HackerOne problem, they’re acting as the middleman and I assume are taking part of the payout. What are they doing to earn the money they’re taking? The reason to go with HackerOne is to facilitate the interactions with people and pass the reports. It shouldn’t be a Curl maintainers responsibility to spot obvious AI slop. Maybe this is just the tier they’re on with HackerOne, but considering this is HackerOne’s business model, I would imagine that if huge companies are also dealing with this, then HackerOne will loose a lot of clients.
Ninja Edit: Obviously the problem is the people creating AI Slop, but HackerOne should be the ones dealing with it, not OpenSource Maintainers.
