Simply charge a fee to submit a report. At 1% of the payment for low bounties it's perfectly valid. Maybe progressively scale that down a bit as the bounty goes up. But still for a $50k bounty you know is correct it's only $500.
No need to make it a percentage ; charge $1 and the spammers will stop extremely quickly, since none of their reports are valid.
But I do think established individual and institutes should have free access ; leave a choice between going through an identification process and paying the fee. If it's such a big problem that you REALLY need to do something ; otherwise just keep marking as spam.
That's why they offer cash bounties. You don't need to charge a fee if there is no bounty (aka an actual good Samaritan situation), cuz then there's no incentive to flood it with slop
Why charge a fee? All you need is a reputation system where low reputation bounty hunters need a reputable person to vouch for them. If it turns out to be false, both take a hit. If true, the voucher gets to be a co-author and a share in the bounty.
gentle reminder that the median salary of a programmer in japan is 60k USD a year.
500 usd is a lot of money (i would not be able to afford it personally).
i suspect 1usd would do the job perfectly fine without cutting out normal non-american people.
Could also be made refundable when the bug report is found to be valid. Although of course the problem then becomes some kid somewhere who is into computers and hacking find something but can’t easily report it because the barrier to entry is too high now. I don’t think there is a good solution unfortunately.
That kid could find a security expert - it’s easy to do - and they could both validate it and post the money. I don’t think it would be hard to find someone with $10k with the right skill set.
Pick someone already rich so the reputational damage from stealing your bounty exceeds the temptation. The repeat speakers list at defcon would be a decent place to start.
The world of AI slop needs a human assertion component. Like. I'm real and stake a permanent reputation on the claim I'm making. An I'm actually human gate.
Jean-Papoulos|9 months ago
But I do think established individual and institutes should have free access ; leave a choice between going through an identification process and paying the fee. If it's such a big problem that you REALLY need to do something ; otherwise just keep marking as spam.
cedws|9 months ago
bloppe|9 months ago
ponector|10 months ago
Also I've heard many times cases when company refused to pay bounty for any reason.
And taxes, how you'll tax it internationally? Sales tax? VAT?
imtringued|10 months ago
Snacklive|9 months ago
lucyjojo|10 months ago
i suspect 1usd would do the job perfectly fine without cutting out normal non-american people.
justsid|10 months ago
rogerrogerr|10 months ago
Pick someone already rich so the reputational damage from stealing your bounty exceeds the temptation. The repeat speakers list at defcon would be a decent place to start.
edoceo|10 months ago