VladVladikoff parent
This sounds more like an influx of scammers than security researchers leaning too hard on AI tools. The main problem is the bounty structure. And I don’t think these influx of low quality reports will go away, or even get any less aggressive as long as there is money to attract the scammers. Perhaps these bug bounty programs need to develop an automatic pass/fail tester of all submitted bug code, to ensure the reporter really found a bug, before the report is submitted to the vendor.
It's unfortunately widespread. We don't offer bug bounties, but we still get obviously LLM-generated "security reports" which are just nonsense and waste our time. I think the motivation may be trying to get credit for contributing to open source projects.
Simply charge a fee to submit a report. At 1% of the payment for low bounties it's perfectly valid. Maybe progressively scale that down a bit as the bounty goes up. But still for a $50k bounty you know is correct it's only $500.
No need to make it a percentage ; charge $1 and the spammers will stop extremely quickly, since none of their reports are valid.
But I do think established individual and institutes should have free access ; leave a choice between going through an identification process and paying the fee. If it's such a big problem that you REALLY need to do something ; otherwise just keep marking as spam.
If you charge a fee the motivation for good samaritan reports goes to zero.
That's why they offer cash bounties. You don't need to charge a fee if there is no bounty (aka an actual good Samaritan situation), cuz then there's no incentive to flood it with slop
Another comment in this overall thread indicated that they still receive LLM slop despite not offering bounties. Clout can be as alluring a drug as money.
You are adding more incentive to go directly to black market to sell vulnerability.
Also I've heard many times cases when company refused to pay bounty for any reason.
And taxes, how you'll tax it internationally? Sales tax? VAT?
Why charge a fee? All you need is a reputation system where low reputation bounty hunters need a reputable person to vouch for them. If it turns out to be false, both take a hit. If true, the voucher gets to be a co-author and a share in the bounty.
gentle reminder that the median salary of a programmer in japan is 60k USD a year.
500 usd is a lot of money (i would not be able to afford it personally).
i suspect 1usd would do the job perfectly fine without cutting out normal non-american people.
Could also be made refundable when the bug report is found to be valid. Although of course the problem then becomes some kid somewhere who is into computers and hacking find something but can’t easily report it because the barrier to entry is too high now. I don’t think there is a good solution unfortunately.
That kid could find a security expert - it’s easy to do - and they could both validate it and post the money. I don’t think it would be hard to find someone with $10k with the right skill set.
Pick someone already rich so the reputational damage from stealing your bounty exceeds the temptation. The repeat speakers list at defcon would be a decent place to start.