Remix.run Logo
Remix clone Hacker News
new | show | ask | jobsGithub
bawolff 4 hours ago

Bug bounties often involve a lot of risk for submitters. Often the person reading the report doesn't know that much and misinterprets it. Often rules are unclear about what sort of reports are wanted. A pay to enter would increase that risk.

Honestly bug bounties are kind of miserable for both sides. I've worked on the recieving side of bug bounty programs. You wouldnt believe the shit that is submitted. This was before AI and it was significant work to sort through, i can only imagine what its like now. On the other hand for a submitter, you are essentially working on spec with no garuntee your work is going to be evaluated fairly. Even if it is, you are rolling the dice that your report is not a duplicate of an issue reported 10 years ago that the company just doesn't feel like fixing.

entuno 2 minutes ago | parent | next [-]

Vulnerability disclosure is general is just miserable. Before all the bug bounty issues it was pretty common to:

* Spend ages trying to find someone to submit a report to.

* Waste a whole load of time fighting through the generic contact and support desks to try and get your report to someone who understood it.

* Get completely ignored by the developers.

* Spend time reporting a bug only for them to silently fix it without even bothering to respond to you, let alone acknowledge you.

* Get legal threats for making a good-faith bug report, even if you found it in an locally deployed instance of the software.

* Get called a black hat and more legal threats when you give up and just go down the full disclosure route.

ANarrativeApe 4 hours ago | parent | prev | next [-]

Pay to enter would increase the risk of submitting a bug report. However, if the submission fees were added to the bounty payable, then the risk reward changes in favour of the submitter of genuine bugs. You could even have refund the submission fee in the case of a good faith non bug submission. A little game theory can go a long way in improving the bug bounty system...

bawolff 4 hours ago | parent | next [-]

If a competent neutral party was evaluating them, i would agree. However currently these things tend to be luck of a draw.

CTDOCodebases 4 hours ago | parent | prev [-]

They could allow submitters to double down on submissions escalating the bug to more skilled and experienced code reviewers who get a cut of the doubled submission fee for reviews.

eterm 4 hours ago | parent | prev | next [-]

Indeed, increasing the incentive for companies to reject ( and then sometimes silently fix anyway ) even the valid reports would only increase further misery for everyone.

skirge an hour ago | parent | prev [-]

Real risk is missed security issue