| ▲ | MostlyStable 6 hours ago |
| Closing the program is totally reasonable. However, there is another option: Make submitters pay a nominal fee that is returned in the case that a real bug is found. |
|
| ▲ | Aurornis 5 hours ago | parent | next [-] |
| > Make submitters pay Asking people to pay to submit bugs would start a firestorm of internet drama about asking people to do free work for the company and pay for the privilege. It doesn’t matter if the program actually paid out. If they got even one report closed incorrectly we would never hear the end of it. |
| |
| ▲ | umvi 2 hours ago | parent | next [-] | | Honestly, depending on the repo, I would pay a reasonable fee to get issues or PRs I open seen. No different than paying a fee to add a new game to Steam - raises the barrier to entry and prevents a lot of garbage from entering the fray. | |
| ▲ | unnouinceput 4 hours ago | parent | prev [-] | | I see that as an absolute win. Free publicity and all that jazz. Plus idiots with their fake submissions of bugs will either bleed money or gtfo from my repo. |
|
|
| ▲ | soared 6 hours ago | parent | prev | next [-] |
| Moving money is not free, and managing payments/etc can be a huuge headache. Sometimes it’s easy, but sometimes it’s not. |
| |
| ▲ | wslh 6 hours ago | parent [-] | | This is one of the cases where crypto works well. | | |
| ▲ | wslh 4 hours ago | parent | next [-] | | I will include this security project as an addendum to my reply: <https://github.com/juli/taint>. Views on crypto can differ dramatically depending on the country you live in. | |
| ▲ | rvz 6 hours ago | parent | prev [-] | | There are many cryptocurrencies that allow anyone to move money quickly, cheaply, and on the same day in less than a minute and requires zero bank accounts. At this point there isn't an excuse. | | |
| ▲ | mort96 5 hours ago | parent [-] | | And which are trivial to convert back and forth between real money and cryptocurrency? And hold their value with sufficient stability that you can convert USD into the currency, make a transaction, wait a few weeks, make a transaction the other direction and then convert back into USD, with roughly no loss in value? | | |
| ▲ | sowbug 5 hours ago | parent | next [-] | | For this use case, that's a virtuous proof-of-work requirement. | |
| ▲ | rvz 4 hours ago | parent | prev [-] | | Very tough question. Stablecoins? | | |
| ▲ | mort96 3 hours ago | parent [-] | | Didn't people realize that those automated pegging algorithms don't really work after the last round of stablecoin collapses | | |
| ▲ | fidelramos 2 hours ago | parent | next [-] | | At least DAI is holding well. It existed before LUNA and it continues to work today. | |
| ▲ | rvz 2 hours ago | parent | prev [-] | | Except not all stablecoins are the same. | | |
| ▲ | mort96 22 minutes ago | parent [-] | | They essentially are to me, because I don't know how to differentiate them. Before the collapse, I would not have been able to look at the ones which collapsed and the ones which didn't and predict the outcome. |
|
|
|
|
|
|
|
|
| ▲ | KolmogorovComp 6 hours ago | parent | prev | next [-] |
| Unfortunately this isn't all black-and-white. There are some bug bounty where the company is very eager not to pay any bounty, aggressively marking vulnerabilities as out-of-scope or working-as-intended. In those case you already lose time, but in the future you would also lose money. Unfortunately you don't know how a company will react before submitting, especially if it's a small one. |
| |
| ▲ | malfist 5 hours ago | parent | next [-] | | It already doesn't stand on face value. These people are spending money to open PRs via their token costs | | |
| ▲ | therepanic 5 hours ago | parent [-] | | No, not them, but those who provide subsidies to AI labs, which is why such people spend almost nothing |
| |
| ▲ | Kwpolska 5 hours ago | parent | prev [-] | | I think it would be fair to distinguish "reasonable report, but not actually a vulnerability" (where you get the submission fee back) and "slop" (where you don’t). |
|
|
| ▲ | pornel 6 hours ago | parent | prev | next [-] |
| That would add administrative overhead, and even higher incentive for submitters to endlessly argue they're right. |
| |
| ▲ | MostlyStable 6 hours ago | parent [-] | | Price it right. At the right price, it pays for everything you are talking about. At an even higher price, it is basically closing the program. I'm not trying to suggest they _need_ to implement it. Like I said, closing it is reasonable. Completely aside from any other considerations, one could just decide that they don't feel like dealing with it. But there are other options. | | |
| ▲ | ethanrutherford 3 hours ago | parent [-] | | The issue with "At the right price", is that your minima (what's enough to filter the spam) and maxima (what are legitimate contributors willing to put up with) can be on the wrong side of each other. The "right price", mathematically, isn't guaranteed to exist. |
|
|
|
| ▲ | password4321 3 hours ago | parent | prev | next [-] |
| Charging clankers is the future and it's coming fast. https://news.ycombinator.com/item?id=47793926 Laravel raised money and now injects ads directly into your agent (A click bait headline from a critic but this seems inevitable.) |
|
| ▲ | bee_rider 6 hours ago | parent | prev | next [-] |
| It sounds like the bug bounty requires the user to extend the simulator, to cover the type of bug they found. Maybe the they could require a full run of the simulator test suite before submission? This serves as a nice check (that they didn’t break the simulator), and maybe it could also produce some proof-of-work artifact as a side-effect… (is this possible? I don’t know security). |
|
| ▲ | SlinkyOnStairs 6 hours ago | parent | prev | next [-] |
| The problem with that approach is that it will also deter genuine submissions, probably moreso than a "no bounty" system. For those who encounter bugs as part of their employment, they'd now need to convince their employer to fork over money up front. For most employers, getting them to spend even insignificant money is like pulling teeth. But even for the self-employed or hobbyists, gambling real money on "are they going to be a jerk about my exploit report". No offense towards Turso, but the bulk of software firms are TERRIBLE about handling reports like that. Many already have unstated policies of screwing people out of deserved bug bounties at every step. To submit such reports today already requires you to accept that your work is statistically, just going to be a bunch of free labour that you gave away for the betterment of the product's users. Adding a cash fee just further deters submissions, especially once people haven't gotten their money back a few times. (Consider how many "AI detection tools" are themselves incredibly unreliable machine learning or sometimes even LLM systems) |
|
| ▲ | xandrius 6 hours ago | parent | prev | next [-] |
| Easily exploitable without much stretch of a thought. I'd say closing a program which doesn't work anymore is a better idea. |
| |
| ▲ | Lalabadie 6 hours ago | parent | next [-] | | How so? These bot systems work on volume – there's no regard for how much reviewer time they gobble up. The idea is to make producing reports basically free, so getting 1 in 1000 positives is still a success if you have no regard for externalities. If they have to pay for reviewer time for each of 1000 reports, then the scheme stops being viable. | |
| ▲ | MostlyStable 6 hours ago | parent | prev [-] | | The majority of the exploits I can think of are fixed by setting the correct price. Other suggestions in this thread of denominating in bitcoin fix the other exploitation: chargebacks. If you can think of something that isn't solved by one of those two mechanisms, I'd be interested in hearing them enumerated. |
|
|
| ▲ | user_7832 6 hours ago | parent | prev | next [-] |
| Honestly I think this is a great idea. My only suggestion is instead of being very nominal, it should be "reasonable" (so $10 and not $1). It's even possible to directly link this to maintainers/employees - if you can review 10 such AI/real things per hour (likely more if it's AI slop that's easy to detect), you're generating another revenue stream. Now, I have no idea if these guys are based in SF Bay or a 3rd world country with low COL but as an "add on", $100 an hour isn't too shabby (and can be on the "low end" if one's good at spotting AI crap.) Side note, isn't it possible to have some way to verify if the "vulns" are actual vulns or not? ...Heck why not throw an LLM at it, powered by a single $10 submission fee? |
| |
| ▲ | basilikum 4 hours ago | parent | next [-] | | If I had to desposit 10$ to report a vulnerability to a company that could get their entire production/business to halt, I'd publish the exploit. | |
| ▲ | sgerenser 4 hours ago | parent | prev | next [-] | | I believe the company is based in SF, but the developers are all over the world, so $100/hr is probably in the ballpark. Interestingly one of the senior developers is working from prison so his costs are probably a bit lower: https://news.ycombinator.com/item?id=44288937 | |
| ▲ | KronisLV 6 hours ago | parent | prev [-] | | Sounds like a startup idea to me! Admittedly, the friction and the fact that you have to pay would prevent a lot of legitimate people from participation which sucks. AI is really throwing a wrench in the economics of software development, isn’t it? | | |
|
|
| ▲ | serhack_ 6 hours ago | parent | prev | next [-] |
| cool idea |
|
| ▲ | IshKebab 5 hours ago | parent | prev | next [-] |
| Phabricator used to run on a similar system. You had to pay to send them bug reports & feature requests. Sounds a bit weird for an open source project but I can tell you that the one company I worked at that used Phabricator did pay (and they definitely wouldn't have otherwise) so I think it's a viable strategy. Plus it makes you immune to slop! On the other hand they did shut down a year or so ago though. Didn't say why. |
|
| ▲ | daniel3303 6 hours ago | parent | prev [-] |
| [flagged] |
