Comment by holuponemoment

holuponemoment May 6, 2025 parent

Simply charge a fee to submit a report. At 1% of the payment for low bounties it's perfectly valid. Maybe progressively scale that down a bit as the bounty goes up. But still for a $50k bounty you know is correct it's only $500.

Jean-Papoulos May 7, 2025

No need to make it a percentage ; charge $1 and the spammers will stop extremely quickly, since none of their reports are valid.

But I do think established individual and institutes should have free access ; leave a choice between going through an identification process and paying the fee. If it's such a big problem that you REALLY need to do something ; otherwise just keep marking as spam.

cedws May 7, 2025

If you charge a fee the motivation for good samaritan reports goes to zero.

bloppe May 7, 2025

That's why they offer cash bounties. You don't need to charge a fee if there is no bounty (aka an actual good Samaritan situation), cuz then there's no incentive to flood it with slop

LocalH May 7, 2025

Another comment in this overall thread indicated that they still receive LLM slop despite not offering bounties. Clout can be as alluring a drug as money.

Vilian May 7, 2025

Curl has dozen of garbage bug reports made using AI where even the author can't point where the bug if, they answer with "the AI said so it's true"

ponector May 7, 2025

You are adding more incentive to go directly to black market to sell vulnerability.

Also I've heard many times cases when company refused to pay bounty for any reason.

And taxes, how you'll tax it internationally? Sales tax? VAT?

imtringued May 7, 2025

Why charge a fee? All you need is a reputation system where low reputation bounty hunters need a reputable person to vouch for them. If it turns out to be false, both take a hit. If true, the voucher gets to be a co-author and a share in the bounty.

Snacklive May 7, 2025

That's just a way to create a toxic environment filled with elitism similar to StackOverflow

lucyjojo May 7, 2025

gentle reminder that the median salary of a programmer in japan is 60k USD a year. 500 usd is a lot of money (i would not be able to afford it personally).

i suspect 1usd would do the job perfectly fine without cutting out normal non-american people.

justsid May 6, 2025

Could also be made refundable when the bug report is found to be valid. Although of course the problem then becomes some kid somewhere who is into computers and hacking find something but can’t easily report it because the barrier to entry is too high now. I don’t think there is a good solution unfortunately.

rogerrogerr May 7, 2025

That kid could find a security expert - it’s easy to do - and they could both validate it and post the money. I don’t think it would be hard to find someone with $10k with the right skill set.

Pick someone already rich so the reputational damage from stealing your bounty exceeds the temptation. The repeat speakers list at defcon would be a decent place to start.

edoceo May 7, 2025

The world of AI slop needs a human assertion component. Like. I'm real and stake a permanent reputation on the claim I'm making. An I'm actually human gate.

This item has no comments currently.