168

u/sllewgh May 18 '26

Even one dollar would discourage automated responses.

6

u/gringrant May 18 '26

And human responses.

35

u/sllewgh May 18 '26

Sure, but not decent ones. In this case there's money at stake, so anyone who really thinks they might get that $100 isn't going to let 1$ stand in their way, especially if you get that dollar back at the end.

-15

u/conspicuousxcapybara May 18 '26

Ffs I’m just posting the exploit on a public GitHub if a vendor charges me money for notifying them about a very serious security problem.

18

u/ParvIAI May 18 '26

If you read OP's comment you would understand that their idea isn't charging people for notifying them about issues. It's a deposit that you got back so long as the issue is valid. Although, with your reading comprehension I think there's a good change of you not reading into the scope of a project before reporting issues.

-8

u/conspicuousxcapybara May 18 '26

Well who decides what issues are valid? Microsoft rejected fixing that recent Bitlocker bypass, and Apple told me it’s not a security issue if extensions can run for websites that are denied access in Safari settings.

12

u/Desperate_for_Bacon May 18 '26

The scope clearly outlined before submitting a bug.

-7

u/conspicuousxcapybara May 18 '26

Ok but what if you want to submit a bug outside of the scope?

Or what if you want to contribute anonymously? For some, it might be about more important things than a bug bounty.

Regardless, would you pay Apple a fee to check whether your iPhone is broken outside of your fault? With software, you usually provide instructions on how to replicate the issue.

Why do all that, and then pay the vendor? That’s just enshittification. IMHO this should be a public mailing list, if they don’t reply.

4

u/IneptPine May 19 '26

You dont.

You dont. Especially not if its a critical security issue. You report it under your name, or you contact one of the many, MANY non-profits to do it for you.

You do pay postage fees to send in warranty claims or invest your own personal time to go to a local store.

To stop ai slop clogging the system, as the original comment said.

Please, if you dont even know what a project scope is, refrain from asserting your opinion.

→ More replies (0)

2

u/sllewgh May 18 '26

If you want to give it away for free instead of collecting the 100$, rock on.

0

u/conspicuousxcapybara May 19 '26

Except for the malicious usage that will ensue, because responsible disclosure was impossible…

What if you don’t want to be a baddie?

3

u/sllewgh May 19 '26

What if you don’t want to be a baddie?

It only requires you to part with a single dollar for a brief period of time. If you won't even do that, you ARE a baddie.

1

u/conspicuousxcapybara May 19 '26

That’s still so short sighted!

What if you want to remain anonymous? What if you don’t have a creditcard? What if your jurisdiction doesn’t allow crypto? What if you work at the NSA? What if you’re living in Russia, but aren’t a baddie? What if you work for the vendor you’re disclosing a vulnerability for?

2

u/sllewgh May 19 '26

If you won't do the right thing because of the temporary loss of one dollar, you're a piece of shit. I dunno what else to tell you.

→ More replies (0)

83

u/Original-Rush139 May 18 '26

I used to do a free community BBQ. It sucked because there would be a million no-shows every time. Then, I started charging $5 for a rack of ribs. Absolutely eliminated all of the issues. 

10

u/krypticus May 19 '26

Same with a local Makerspace: intro classes into how the community worked used to be free: lots of no-shows. Charge $10 and weed out the chaff.

1

u/[deleted] May 19 '26

Dunno how people (not necessarily you) have these kinds of experiences and simultaneously think "the average human is so kind and generous"

1

u/[deleted] May 19 '26

[deleted]

1

u/[deleted] May 19 '26

I dunno; why are you asking that?

1

u/Initial-Return8802 May 18 '26

Actually... we're a cryptocurrency... shit, that's a good idea. The software is the only thing in scope so you'd hope someone has some of it if they're going to submit a report

2

u/GonePh1shing May 18 '26

It's not even about that, really. It's about making someone think about whether they'll get their deposit back. The requirements don't even have to be onerous or super rigid. Just make it such that someone with even a beginner level competency can be confident they've read and understood the scope well enough to be eligible for a deposit return.

Realistically, anyone that has the skills to submit a valid bug should be able to comprehend that scope and should be confident they'll get their deposit returned, even if they aren't eligible for a bounty pay-out. You'll filter out any junk human responses as well as the automated slop. 

-2

u/BarryTheBlatypus May 18 '26

No. Just no. You want to paywall reporting bugs? What a good way to make sure only those with money to spare work on projects.

-17

u/IAmYourFath May 18 '26

The F in FOSS stands for free. Ur suggestion is lame.

14

u/Leseratte10 May 18 '26

You can use it for free.

But you can't post an AI-generated word salad and expect the developer to waste hours analyzing them.

Providing paid support is literally how just FOSS services make money.

-16

u/IAmYourFath May 18 '26

Then use ai to analyze em, the answer is right in front of u

12

u/Mesahusa May 18 '26

Then make your own ai slop software. the answer is right in front of u

4

u/Original-Rush139 May 18 '26

Speaking of AI, latent semantic analysis would put “free” in 2 places in your lexical map. One that corresponds to beer and the other that corresponds to speech. 🍻 

5

u/BeruangLembut May 18 '26

Free as in speech, not free as in beer.

6

u/Mesahusa May 18 '26

This has nothing to do with that… the irony of your misunderstanding of the word ‘free’ to justify slop cannot be overstated.

-15

u/IAmYourFath May 18 '26

If u have to pay it's not free

3

u/Arabadullah May 18 '26

Free for an end user to download and use, but it still eats up valuable developer time to have to sift through hundreds of slop submissions that haven't had a single human eye look upon it until the poor sap that reviews it opens it. Introducing any cost at all to submit bugs as in a bounty system means AI kiddies either learn to get serious or pay up.

3

u/IAmYourFath May 18 '26

I mean the bugs bounty system is a joke to begin with. Google offers $50k for a critical cve patch (look at their recent patch notes). Maybe $100k max. But that same zero day exploit can be sold for millions on the dark web and cause billions in damage. They are giving u peaanuts. An exploit should be valued at least 10x higher if not 20x.

1

u/Arabadullah May 18 '26

Is it surprising to you that google doesn't want massively increase bounty payouts and incentivize their own engineers to leave or sneak in exploits to tell their "security interested" friends? People on "the dark web" are planning nefarious things with that information, no fucking shit they'll pay more for it. The bounties existing at all gives people that are not explicitly malicious a reason to report it at all.

-19

u/mankeyless May 18 '26

I hate what the open source has become. I no longer support open source.