[krazydad]

Meanwhile, several companies are no longer offering bounties. It's becoming tedious to sift through all the AI-generated submissions, many of which are false positives.

[alexboehm]

I think this period of false positives is ending, https://daniel.haxx.se/blog/2026/04/22/high-quality-chaos/ that's according to the curl maintainer that initially blew the lid on the false positives problem.

[londons_explore]

Better models are better.

But smaller and cheaper models which produce more junk are cheaper.

The cost is with the project maintainer, not with the bounty hunter.

[seba_dos1]

Don't worry, the fact that you may be able to get something worth a dime out of these models if you really try does not yet mean you won't get flooded by slop from people who did not bother at all. The background noise is elevating rapidly and discerning signal from it takes more and more effort.

[zrm]

Just require people submitting a bounty to post an evaluation fee. If it's a real bug they get a refund and the bounty. If it's AI slop, you keep the evaluation fee.

[irjustin]

> If it's AI slop, you keep the evaluation fee.

The number of problems this creates absolutely isn't worth it.

You've traded higher barrier of entry for a PR nightmare when someone publicly complains that you ate their legit submission fee as a money grabber.

[zrm]

Bounties already have that whenever you reject one for being nothing.

[irjustin]

Agreed, but that's a way easier line to defend than AI vs Human. The amount of subjectiveness human-ai discussion .... well we can't tell anymore.

[zrm]

You don't have to determine if it's an AI or not. If AI finds a real bug then it can get the bounty. If a human pays to make you read artisanal hand-crafted word salad then they don't get a refund. Real bugs get the bounty, imaginary bugs pay the fee.

[Salgat]

This might work but only if the evaluations are done through a trusted third party entity where none of the money ever reaches the company you're submitting to.

[zrm]

You only need things like that for non-iterated games. A company that gets a reputation for keeping the money when it's a real bug would stop getting real bug reports.

[cassianoleal]

Weird argument. You're trusting they will pay the bounty if it's a real bug, why not trust they will refund the fee?

[Salgat]

Building trust is the hard part, which is why you aggregate all that trust into an entity that everyone else is verifying as trustworthy.

[cassianoleal]

In this case, who is that entity?