daniel:// stenberg://Early anecdotal data: turning off the bug-bounty may not make much difference... 😱
buherator@bagder People probably pay less attention than you think (this is a general rule of thumb of mine), they may still assume there is monetary reward even without H1. IMO you should give it some time.
@buherator yes, we need to give this time to settle in so this is for sure not a certain observation just yet
Gina Häußge@buherator @bagder I never even had a bug bounty for OctoPrint and yet I get slop (or crap) reports and beg bounty mails. But I used to be forced into huntr.dev, which at it's start handed out money for accepted issues in open source projects, and I slid into the CTO's DMs to get out of there as that definitely increased the amount of crap. So from my experience, not having a bounty program doesn't offer full protection against slop DDOS attacks, but it certainly helps long term.
Oxyte 🥴🥴🥴🥴🥴
spinnyspinlock
Beg Bounties
When someone passed me hundreds of thousands of records on kids taken from CloudPets a few years ago [https://www.troyhunt.com/data-from-connected-cloudpets-teddy-bears-leaked-and-ransomed-exposing-kids-voice-messages/] , I had a nightmare of a time getting in touch with the company. They'd left a MongoDB instance exposed to the public without a password and someone
@oxyte @buherator @bagder Be glad you learned about it this way and not by being on the receiving end of it, repeatedly...
I actually have a growing email filter that's now 11 addresses long for one and the same guy who keeps spamming my mail account with generic AF security reports about "the application" every other week. I tried talking to him in the beginning, linked to OctoPrint's security policy, explained that there's no bounty. No response, just more "reports". Now straight to spam.