Hello,
I've sent an email to IBB and asked them if they see any problem with us
remaining within the bounty-program but leaving HackerOne as a platform. They
have not responded yet.
We decided a while back to track the development of the bug bounty program
before making any decision about its future, but I don't think we can spot any
obvious improvements. On the contrary really. There's now a rather intense
flood of rubbish thrown at us.
Step 1
Depending on what IBB says, I think we can plan for giving up HackerOne in the
September time frame or so. If we do that, I'm thinking we should enable
"Private vulnerability reporting" on GitHub and switch to using that instead -
with the hope that banning and controlling users on that platform works a
little better.
Step 2
If that does not help enough, I think dropping the bounty part could be a next
step. At least as a temporary thing to see if the removed monetary incentive
changes anything. I suspect that it won't change things much.
Step 3
If removing the money motivation does not help enough (as I suspect), we could
consider introducing some additional "friction" to the process. Like a
contract and/or deposit done separately before we accept a report. Or
something.
--
/ daniel.haxx.se || https://rock-solid.curl.dev
--
Unsubscribe: https://lists.haxx.se/mailman/listinfo/curl-library
Etiquette: https://curl.se/mail/etiquette.html
