Buy commercial curl support. We
help you work out your issues, debug your libcurl applications, use the API,
port to new platforms, add new features and more. With a team lead by the
curl founder Daniel himself.
Re: A future off HackerOne?
- Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ] [ by messages with attachments ]
From: Patrick Monnerat via curl-library <curl-library_at_lists.haxx.se>
Date: Tue, 12 Aug 2025 22:01:18 +0200
On 8/12/25 6:20 PM, Daniel Stenberg via curl-library wrote:
> Hello,
>
> I've sent an email to IBB and asked them if they see any problem with
> us remaining within the bounty-program but leaving HackerOne as a
> platform. They have not responded yet.
>
> We decided a while back to track the development of the bug bounty
> program before making any decision about its future, but I don't think
> we can spot any obvious improvements. On the contrary really. There's
> now a rather intense flood of rubbish thrown at us.
>
> Step 1
>
> Depending on what IBB says, I think we can plan for giving up
> HackerOne in the September time frame or so. If we do that, I'm
> thinking we should enable "Private vulnerability reporting" on GitHub
> and switch to using that instead - with the hope that banning and
> controlling users on that platform works a little better.
>
> Step 2
>
> If that does not help enough, I think dropping the bounty part could
> be a next step. At least as a temporary thing to see if the removed
> monetary incentive changes anything. I suspect that it won't change
> things much.
>
> Step 3
>
> If removing the money motivation does not help enough (as I suspect),
> we could consider introducing some additional "friction" to the
> process. Like a contract and/or deposit done separately before we
> accept a report. Or something.
One thing considered as "flawed" in HackerOne is the reputation, as it
is easy to restart the counter from zero in case you have a bad one.
However if we drop HackerOne, we lose this indicator: why don't we turn
it to our advantage by just requiring a strictly positive reputation
that cannot be reached by non-serious people before considering reports ?
This won't decrease the number of submissions a lot (unless HackerOne
allows you to block low scores), but will greatly reduce the
investigation time spent by the security team members.
Just an idea.
Date: Tue, 12 Aug 2025 22:01:18 +0200
On 8/12/25 6:20 PM, Daniel Stenberg via curl-library wrote:
> Hello,
>
> I've sent an email to IBB and asked them if they see any problem with
> us remaining within the bounty-program but leaving HackerOne as a
> platform. They have not responded yet.
>
> We decided a while back to track the development of the bug bounty
> program before making any decision about its future, but I don't think
> we can spot any obvious improvements. On the contrary really. There's
> now a rather intense flood of rubbish thrown at us.
>
> Step 1
>
> Depending on what IBB says, I think we can plan for giving up
> HackerOne in the September time frame or so. If we do that, I'm
> thinking we should enable "Private vulnerability reporting" on GitHub
> and switch to using that instead - with the hope that banning and
> controlling users on that platform works a little better.
>
> Step 2
>
> If that does not help enough, I think dropping the bounty part could
> be a next step. At least as a temporary thing to see if the removed
> monetary incentive changes anything. I suspect that it won't change
> things much.
>
> Step 3
>
> If removing the money motivation does not help enough (as I suspect),
> we could consider introducing some additional "friction" to the
> process. Like a contract and/or deposit done separately before we
> accept a report. Or something.
One thing considered as "flawed" in HackerOne is the reputation, as it
is easy to restart the counter from zero in case you have a bad one.
However if we drop HackerOne, we lose this indicator: why don't we turn
it to our advantage by just requiring a strictly positive reputation
that cannot be reached by non-serious people before considering reports ?
This won't decrease the number of submissions a lot (unless HackerOne
allows you to block low scores), but will greatly reduce the
investigation time spent by the security team members.
Just an idea.
-- Unsubscribe: https://lists.haxx.se/mailman/listinfo/curl-library Etiquette: https://curl.se/mail/etiquette.htmlReceived on 2025-08-12