On Tue, 12 Aug 2025, Patrick Monnerat via curl-library wrote:
One thing considered as "flawed" in HackerOne is the reputation, as it is easy to restart the counter from zero in case you have a bad one.
Yeah. I think people often have more long-lasting accounts on GitHub, which makes me think bans might work slightly better there. Or perhaps I'm just too optimistic.
However if we drop HackerOne, we lose this indicator: why don't we turn it to our advantage by just requiring a strictly positive reputation that cannot be reached by non-serious people before considering reports ?
Because HackerOne doesn't allow us to set that threshold. Because they don't seem too willing to work with us on this problem.
This won't decrease the number of submissions a lot (unless HackerOne allows you to block low scores), but will greatly reduce the investigation time spent by the security team members.
Yeah but accepting the report only to immediately close it if the reporter has a too low reputation feels like an icky solution. Disrespectful even. I wouldn't mind requiring a certain reputation level and I think that would even be a good thing to try, but then we would need to reject it earlier; before the user gets to submit it.
But HackerOne has no such setting. -- / daniel.haxx.se || https://rock-solid.curl.dev -- Unsubscribe: https://lists.haxx.se/mailman/listinfo/curl-library Etiquette: https://curl.se/mail/etiquette.html
