It's not a horrible idea... the challenge there would be making that payment/refund flow totally transparent in order to build trust and be fair to the researchers.
It's not a horrible idea... the challenge there would be making that payment/refund flow totally transparent in order to build trust and be fair to the researchers.
Making, payment/refund setup is more complicated than „set and forget”.
First question: Do you keep money for shit reports?
Well no, you have to pay it back like credit card validation. There is no pain for posting shit report just inconvenience. There is no legal way where you can keep the money.
Why not?
Because you are not providing any service not selling anything. There is no real way as a company to withhold someone’s money and that it goes through accounting.
I am not an accountant so ask some accountants why not.
To participate in the bug bounty program, you must pay ACME Inc. $1 (one U.S. dollar) per submission. This payment is non-refundable as it covers our triage costs and bounty payment processing fees. You may submit a vulnerability without paying, but you will not be eligible for receiving any bounty payments under this program.
If your disclosure otherwise meets all of the guidelines of the program, but is not eligible for a bounty, we may, in our sole discretion, award you a bounty of $1.
it's not illegal to ask people to send you money and then keep the money they send you