Baby420
daniel:// stenberg://A future for #curl off hackerone?
Mathias Hasselmann@bagder Monetary incentive isn't the problem. The problem is offering bounties without requiring submitters paying a protection free: If a bounty is granted, this bounty easily compensates the fee. If the bounty is rejected, the fee is split 80:20 between maintainer who evaluated the submission and platform.
Not much difference for serious submitters. Tiny compensation for maintainers. Huge barrier for fraudsters.
fuomag9@bagder In my opinion this would be a good approach:
- make it VDP on HackerOne (or GitHub advisories), so people can still report vulnerabilities but without rewards (potentially reward actual good reports if severe at your discretion)
- Make a paid invite-only program on HackerOne as well and invite hackers with good reputation and offer nice bounties
- make it VDP on HackerOne (or GitHub advisories), so people can still report vulnerabilities but without rewards (potentially reward actual good reports if severe at your discretion)
- Make a paid invite-only program on HackerOne as well and invite hackers with good reputation and offer nice bounties
niallor@bagder and/or off GitHub? @bortzmeyer
Matthias Aßhauer
Apollo@bagder what does IBB stand for? 🤔
四@bagder Sounds like a hackerone problem. Have they said anything about this whole situation? (Not curl specifically but in general.)
ang_mo_uncle@bagder maybe you can create a lower tier of bounty ("hey, curl can access file://, isn't that dangerous somehow?!") where reviewers are a wider circle, but the reward is primarily a t-shirt "I found an exploit in cURL and all I got was this lousy t-shirt" for the submitter and reviewer.
And an AI one where, if someone can show *reproducibly* how they can effectively use AI to screen code for weaknesses, they get a good reward (set a false positive threshold to qualify).
And an AI one where, if someone can show *reproducibly* how they can effectively use AI to screen code for weaknesses, they get a good reward (set a false positive threshold to qualify).
@bagder oh and tar and feathers if AI helps wasn't disclosed.