One problem with this is that the corporate users who would fund a bounty competitive with the grey market don't really care about the grey market. Some of the bigger companies are even clients of the grey market, either through threat intelligence feeds or even though exploit acquisition (for red teaming).
Another issue is that for the vast majority of applications, the bounty pools you seem to be considering are way, way too big. The $3000 Google & friends will pay you through the IBB for serverside bugs is mostly a gift from them. You should read things like the Zerodium payouts as "we might pay AS MUCH AS...", and also know that when they say they'll pay "up to" $10k for RCE on Roundcube, they mean literally: RCE, and has to be Roundcube. They won't pay you for XSS and they won't pay you for an RCE in something _like_ Roundcube.
Your demo page shows a funding goal of $50,000... for BountyGraph. Not 1 HackerOne program in 10 is funded even to the tune of $20k, and those people all run actual businesses.
> One problem with this is that the corporate users who would fund a bounty competitive with the grey market don't really care about the grey market.
Mind elaborating?
> Your demo page shows a funding goal of $50,000... for BountyGraph. Not 1 HackerOne program in 10 is funded even to the tune of $20k, and those people all run actual businesses.
Sure, but in this case you're not relying on one business to fund the whole bounty; theoretically many businesses would be pooling funds. If hundreds of companies pledge small amounts, you are looking at real money being made available.
The crowdfunded aspect is interesting, and I like how the total value crowdfunded (i.e. the total bounty pot or pool) is displayed. That could serve as powerful signal to attract bounty hunters.
That said, as a non-coder but an avid bounty setter and bounty hunter on beta.cent.co, I am wondering if there aren't any other UX tweaks that could be employed on BountyGraph to either attract and keep more bounty hunters or participating corporate users/funders or both.
Specifically, the social aspect that Cent facilitates has resulted in a very interesting general community that also functions as an army of on-demand bounty hunters. I imagine something similar but tailored to the technical bounty hunters your site will need could be spun up at a cost to be sure, but a relatively small one compared to the value that attracting such an army of bounty hunters could generate.
Hi, apologies for not replying to this last week when you originally posted this!
I think this is really good feedback, and I agree it would be very cool to build a community of hackers on BountyGraph. I'd really like to build a "write-ups" feature into the site where users can post about interesting bugs they've found. We haven't built a reputation system yet either, which is definitely going to be important down the road.
Just a little UX note: I'm trying to register and I get a "Username is invalid" error. I have a special character in it ("-") so I guess that's why, but it would be a good idea to state your validity rules in the error message.
[+] [-] tptacek|7 years ago|reply
Another issue is that for the vast majority of applications, the bounty pools you seem to be considering are way, way too big. The $3000 Google & friends will pay you through the IBB for serverside bugs is mostly a gift from them. You should read things like the Zerodium payouts as "we might pay AS MUCH AS...", and also know that when they say they'll pay "up to" $10k for RCE on Roundcube, they mean literally: RCE, and has to be Roundcube. They won't pay you for XSS and they won't pay you for an RCE in something _like_ Roundcube.
Your demo page shows a funding goal of $50,000... for BountyGraph. Not 1 HackerOne program in 10 is funded even to the tune of $20k, and those people all run actual businesses.
[+] [-] Thriptic|7 years ago|reply
Mind elaborating?
> Your demo page shows a funding goal of $50,000... for BountyGraph. Not 1 HackerOne program in 10 is funded even to the tune of $20k, and those people all run actual businesses.
Sure, but in this case you're not relying on one business to fund the whole bounty; theoretically many businesses would be pooling funds. If hundreds of companies pledge small amounts, you are looking at real money being made available.
[+] [-] JustMatthew|7 years ago|reply
That said, as a non-coder but an avid bounty setter and bounty hunter on beta.cent.co, I am wondering if there aren't any other UX tweaks that could be employed on BountyGraph to either attract and keep more bounty hunters or participating corporate users/funders or both.
Specifically, the social aspect that Cent facilitates has resulted in a very interesting general community that also functions as an army of on-demand bounty hunters. I imagine something similar but tailored to the technical bounty hunters your site will need could be spun up at a cost to be sure, but a relatively small one compared to the value that attracting such an army of bounty hunters could generate.
[+] [-] justicz|7 years ago|reply
I think this is really good feedback, and I agree it would be very cool to build a community of hackers on BountyGraph. I'd really like to build a "write-ups" feature into the site where users can post about interesting bugs they've found. We haven't built a reputation system yet either, which is definitely going to be important down the road.
Thanks for the feedback :)
[+] [-] dee-see|7 years ago|reply
[+] [-] justicz|7 years ago|reply