Buy commercial curl support. We
help you work out your issues, debug your libcurl applications, use the API,
port to new platforms, add new features and more. With a team lead by the
curl founder Daniel himself.
Re: A future off HackerOne?
- Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ] [ by messages with attachments ]
From: Daniel Stenberg via curl-library <curl-library_at_lists.haxx.se>
Date: Tue, 12 Aug 2025 23:44:56 +0200 (CEST)
On Tue, 12 Aug 2025, Patrick Monnerat via curl-library wrote:
> One thing considered as "flawed" in HackerOne is the reputation, as it is
> easy to restart the counter from zero in case you have a bad one.
Yeah. I think people often have more long-lasting accounts on GitHub, which
makes me think bans might work slightly better there. Or perhaps I'm just too
optimistic.
> However if we drop HackerOne, we lose this indicator: why don't we turn it
> to our advantage by just requiring a strictly positive reputation that
> cannot be reached by non-serious people before considering reports ?
Because HackerOne doesn't allow us to set that threshold. Because they don't
seem too willing to work with us on this problem.
> This won't decrease the number of submissions a lot (unless HackerOne allows
> you to block low scores), but will greatly reduce the investigation time
> spent by the security team members.
Yeah but accepting the report only to immediately close it if the reporter has
a too low reputation feels like an icky solution. Disrespectful even. I
wouldn't mind requiring a certain reputation level and I think that would even
be a good thing to try, but then we would need to reject it earlier; before
the user gets to submit it.
But HackerOne has no such setting.
Date: Tue, 12 Aug 2025 23:44:56 +0200 (CEST)
On Tue, 12 Aug 2025, Patrick Monnerat via curl-library wrote:
> One thing considered as "flawed" in HackerOne is the reputation, as it is
> easy to restart the counter from zero in case you have a bad one.
Yeah. I think people often have more long-lasting accounts on GitHub, which
makes me think bans might work slightly better there. Or perhaps I'm just too
optimistic.
> However if we drop HackerOne, we lose this indicator: why don't we turn it
> to our advantage by just requiring a strictly positive reputation that
> cannot be reached by non-serious people before considering reports ?
Because HackerOne doesn't allow us to set that threshold. Because they don't
seem too willing to work with us on this problem.
> This won't decrease the number of submissions a lot (unless HackerOne allows
> you to block low scores), but will greatly reduce the investigation time
> spent by the security team members.
Yeah but accepting the report only to immediately close it if the reporter has
a too low reputation feels like an icky solution. Disrespectful even. I
wouldn't mind requiring a certain reputation level and I think that would even
be a good thing to try, but then we would need to reject it earlier; before
the user gets to submit it.
But HackerOne has no such setting.
-- / daniel.haxx.se || https://rock-solid.curl.dev -- Unsubscribe: https://lists.haxx.se/mailman/listinfo/curl-library Etiquette: https://curl.se/mail/etiquette.htmlReceived on 2025-08-12