Hacker News new | ask | show | jobs
by lemagedurage 4 hours ago
Have you considered requiring a small payment for vulnerability disclosure? Refund it on payout. This should be very effective at deterring spammers. It also sucks for real reports, but beats shutting down the program entirely.
1 comments
inigyou 4 hours ago
Why would anyone pay money to have a chance of being arrested?
link
lemagedurage 4 hours ago
If a vulnerability disclosure program has a good track record of paying out, and legitimate reports get refunded, why not?

Again, the alternative might be shutting down the program entirely.

link
dns_snek 2 hours ago
Those are 2 big "ifs". The incentives are completely misaligned and the platforms work for the companies. They would now have an even bigger incentive to stonewall and close valid issues than they did before.

They already like blurring the lines by rejecting reports that have clear reproduction scripts, videos, demonstrable (but not critical) impact. They'll close it as "not a bug" but then also forbid disclosure and stonewall mediation requests. Reports are supposed to be kept private until the issue is fixed but the system gets abused to cover up issues long after they've been fixed.

In some cases I strongly suspect it's to evade liability for financial damages that their customers might've suffered. Platform mediation always takes their side and if you want to do what's right, you will get banned.

link
cleverfoo 3 hours ago
It's not a horrible idea... the challenge there would be making that payment/refund flow totally transparent in order to build trust and be fair to the researchers.
link
ozim 2 hours ago
Making, payment/refund setup is more complicated than „set and forget”.

First question: Do you keep money for shit reports?

Well no, you have to pay it back like credit card validation. There is no pain for posting shit report just inconvenience. There is no legal way where you can keep the money.

link
inigyou 21 minutes ago
Why not?
link
MarkusQ 3 hours ago
Sure, it sounds dumb when you say it like that.

But do you know how many people are doing things that are even dumber right this very minute? I don't know either, but I'm sure it's larger than either of us would like to admit.

link
fouc 2 hours ago
why would anyone accept bounty money to have a chance of being arrested?
link