On 8/12/25 6:20 PM, Daniel Stenberg via curl-library wrote:
Hello,
I've sent an email to IBB and asked them if they see any problem with
us remaining within the bounty-program but leaving HackerOne as a
platform. They have not responded yet.
We decided a while back to track the development of the bug bounty
program before making any decision about its future, but I don't think
we can spot any obvious improvements. On the contrary really. There's
now a rather intense flood of rubbish thrown at us.
Step 1
Depending on what IBB says, I think we can plan for giving up
HackerOne in the September time frame or so. If we do that, I'm
thinking we should enable "Private vulnerability reporting" on GitHub
and switch to using that instead - with the hope that banning and
controlling users on that platform works a little better.
Step 2
If that does not help enough, I think dropping the bounty part could
be a next step. At least as a temporary thing to see if the removed
monetary incentive changes anything. I suspect that it won't change
things much.
Step 3
If removing the money motivation does not help enough (as I suspect),
we could consider introducing some additional "friction" to the
process. Like a contract and/or deposit done separately before we
accept a report. Or something.
One thing considered as "flawed" in HackerOne is the reputation, as it
is easy to restart the counter from zero in case you have a bad one.
However if we drop HackerOne, we lose this indicator: why don't we turn
it to our advantage by just requiring a strictly positive reputation
that cannot be reached by non-serious people before considering reports ?
This won't decrease the number of submissions a lot (unless HackerOne
allows you to block low scores), but will greatly reduce the
investigation time spent by the security team members.
Just an idea.
--
Unsubscribe: https://lists.haxx.se/mailman/listinfo/curl-library
Etiquette: https://curl.se/mail/etiquette.html
