[f-]

If you do that, you're merely trading one grievance for another: "evil company marked my bug as duplicate to avoid paying" for "evil company claimed to have gotten duplicate reports to weasel out of paying the full amount". More people upset, although individually, maybe to a lesser extent.

The core issue is not the reward division algorithm, it's the inherent lack of visibility. One solution here would be to just open all reports after a while, but this creates problems of its own. One is that it gives ammo to people engaging in dishonest or clueless PR. Another is that some researchers don't actually want visibility, because their employers have murky rules around such engagements, or because they have some far-off disclosure timeline in mind (as a part of a presentation at a conference, or whatnot).

[yardstick]

How about combining reward splitting with having some way to show a count of recent submissions (no details, just count), so people know before submitting that there is a chance someone else already submitted the issue.

Or a mechanism for companies that use email to register the researchers submissions in HackerOne. The details will be sealed and non-public, with researchers having no way to know it exists unless the company provides a link to it as proof of work. HackerOne thus acts as a kind of notary against accusations from researchers that it wasn’t really a duplicate.

[paulryanrogers]

How about dividing among reporters, bounty increases the longer it's not fixed since first report, and those paid must be publicly acknowledged.

Probably also need stiff penalties for insiders who might conspire to notify others of bugs and split the pay out.

[tptacek]

Nobody is going to do anything like this. Bug fixes take time to coordinate and deploy, and nobody is going to make themselves and their schedules accountable to some random bug bounty submitter. At the point where you're doing this, you might as well just engage professional pentesters; they don't give a shit when you ship fixes --- you just pay them to find bugs and write them up.

[craftinator]

The trouble with your first point is that companies won't go for it; no point in having HackerOne around if no one will use their platform. It's a tricky problem; let's solve it with AI and Blockchain!

[paulryanrogers]

Why not divide the payout? The companies paying will pay the same amount, just divided among all the reporters. They already do the work of identifying duplicate reports. Maybe it could be weighted to pay more to the first reporter.

As far as not doing it. At some point critical industries may be have to be regulated to force them to behave responsibly.