| ▲ | sealeck 4 days ago | |||||||||||||||||||||||||
Even a deposit works well (and doesn't have to be large). Someone who has actually found a serious bug in cURL will probably pay $2-5 dollars as a deposit to report (especially given the high probability of a payout). | ||||||||||||||||||||||||||
| ▲ | SAI_Peregrinus 3 days ago | parent | next [-] | |||||||||||||||||||||||||
One issue is who pays the processing fees for the deposit & refund transactions. HackerOne could work around that issue by copying the practices of video game "microtransaction" payments: sell "report points packs", say 2500 points for $25 minimum in a pack. User needs to deposit 100 points to report, for each report they open. If the report is accepted they get their 100 points back, if not they lose their 100 points. If they want to open more than 25 reports at once they need more points packs. The $25 pack is non-refundable, so there's no added transaction fee for the refund. | ||||||||||||||||||||||||||
| ▲ | kg 3 days ago | parent | prev | next [-] | |||||||||||||||||||||||||
I can afford it but I would never spend money to submit a vulnerability report. I'd need to be reporting dozens of vulnerabilities on a single site like hackerone to work up the motivation to plug in payment details and risk having them leaked/stolen in order to do someone else's work for them. I'd sooner click sponsor for the cURL project on github (something I already do for some OSS I use) than spend money to report a bug. | ||||||||||||||||||||||||||
| ||||||||||||||||||||||||||
| ▲ | zupa-hu 4 days ago | parent | prev | next [-] | |||||||||||||||||||||||||
Exactly my thoughts. I’d love to have this for phone calls and sms as well. If you didn’t spam me, I’ll refund. | ||||||||||||||||||||||||||
| ▲ | pixl97 3 days ago | parent | prev [-] | |||||||||||||||||||||||||
That or the dark vuln market will find a way to vet bugs and pay out faster and easier than the actual project. | ||||||||||||||||||||||||||
| ||||||||||||||||||||||||||