[hamandcheese]

Business idea. Maybe this already exists. A disclosure aggregator/middle man which:

- protects the privacy of folks submitting

- vets security vulns. Everything they disclose is exploitable.

- publishes disclosures publicly at a fixed cadence.

- allows companies to pay to subscribe to an "early feed" of disclosures which impact them. This money is used to reward those submitting disclosures, pay the bills, and take some profit.

A bug bounty marketplace, if you will. That is slightly hostile to corporations. Would that be legal, or extortion?

[hashstring]

Thought of something along the lines of this too before.

I think there is serious potential for this.

[ajcp]

It does indeed already exist in many sectors as trade publications and journalism.

[darkwater]

Isn't that basically HackerOne?

[Avamander]

No, HackerOne gets paid by the companies, so they're heavily incentivized to work for their benefit.

I've had three really bad experiences with unskilled H1 triagers that the next vuln I find from a company that uses H1 will go instantly public. I'm never going to spend that much effort again, to get a triager that would actually bother to triage.

[_cenw]

except there you spend several months walking an underpaid person in india who can barely use a shell though reproduction steps, get a confirm after all that work and the vendor still ignores you

[xmodem]

HackerOne, BugCrowd, et al don't appear to make any serious effort to vet reports themselves.

[hashstring]

Is that true? I thought you could pay for a H1 service that basically had professionals triaging the vulnerabilities and only pass on the correct ones?

[ycombinatrix]

Our company pays for one of these third party triage services for H1.

The quality is seriously lacking. They have dismissed many valid findings.

[hashstring]

Ah thank you for the info!

From what I understood, the service is also (very) expensive. Wild.