Start charging users to submit a vulnerability report.
It doesn't matter if it made by AI or a human, spammers operate by cheaply overproducing and externalizing their work onto you to validate their shit. And it works because sometimes they do deliver value by virtue of large numbers. But they are a net negative for society. Their model stops working if they have to pay for the time they wasted.
Even a deposit works well (and doesn't have to be large). Someone who has actually found a serious bug in cURL will probably pay $2-5 dollars as a deposit to report (especially given the high probability of a payout).
One issue is who pays the processing fees for the deposit & refund transactions. HackerOne could work around that issue by copying the practices of video game "microtransaction" payments: sell "report points packs", say 2500 points for $25 minimum in a pack. User needs to deposit 100 points to report, for each report they open. If the report is accepted they get their 100 points back, if not they lose their 100 points. If they want to open more than 25 reports at once they need more points packs. The $25 pack is non-refundable, so there's no added transaction fee for the refund.
Exactly my thoughts.
I’d love to have this for phone calls and sms as well. If you didn’t spam me, I’ll refund.
I can afford it but I would never spend money to submit a vulnerability report. I'd need to be reporting dozens of vulnerabilities on a single site like hackerone to work up the motivation to plug in payment details and risk having them leaked/stolen in order to do someone else's work for them.
I'd sooner click sponsor for the cURL project on github (something I already do for some OSS I use) than spend money to report a bug.
That's my attitude towards this sort of thing as well, but unfortunately it seems that this attitude is unsustainable now that the cost of generating plausible-looking bullshit has been driven to 0. "Pay to prove humanity" seems like one of the only ways to keep something like this running if we don't built a hugely-invasive system of attestation.
That or the dark vuln market will find a way to vet bugs and pay out faster and easier than the actual project.
I think people who find real bugs have lots of incentives to not sell them to criminals (in and of itself a crime!!)
I mean it depends where you are. In the US my salary is pretty damned high so it's not worth it. Once you start getting in other places, especially those embargod with the US/EU then it's a different story.
Presumably Hackerone isn't paying to people under US embargo!
This is a horrible idea. If you want to discourage people from submitting reports then this is how you do it..
Reducing waste, fraud, and abuse is always only one side of the story. I agree it would have false negative impact (someone does not submit a good report that otherwise would have), but I don't think that instantly makes it a horrible idea. I think the net effect would have to be studied, but I highly doubt all true postive reports would become false negatives. The goal is reducing false positives, so it is going to be a tradeoff and you'd need specific numbers to conclude anything.
Do you really think it is a horrible idea? That is just so harsh of a label.