[paulryanrogers]

How about dividing among reporters, bounty increases the longer it's not fixed since first report, and those paid must be publicly acknowledged.

Probably also need stiff penalties for insiders who might conspire to notify others of bugs and split the pay out.

[tptacek]

Nobody is going to do anything like this. Bug fixes take time to coordinate and deploy, and nobody is going to make themselves and their schedules accountable to some random bug bounty submitter. At the point where you're doing this, you might as well just engage professional pentesters; they don't give a shit when you ship fixes --- you just pay them to find bugs and write them up.

[craftinator]

The trouble with your first point is that companies won't go for it; no point in having HackerOne around if no one will use their platform. It's a tricky problem; let's solve it with AI and Blockchain!

[paulryanrogers]

Why not divide the payout? The companies paying will pay the same amount, just divided among all the reporters. They already do the work of identifying duplicate reports. Maybe it could be weighted to pay more to the first reporter.

As far as not doing it. At some point critical industries may be have to be regulated to force them to behave responsibly.