(September 15, 2022, 12:41 PM)blackplatypus Wrote: Good idea. But it's the same problem as always on Breached or RF.

Scammers. Either you don't get paid or you don't get the job done to your satisfaction. As a one-off job, it's in both parties interests to take and not give anything.

Enter ESCROW accounts + third party ARBITRATION to decide if the job was done to the requirements specified.

For certain private things that you don't really want more people privy to, it doesn't work.
Arbitrators tend to also want to be paid
Escrow accounts can be scams unto themselves (escrow account provider and scammer are one and the same)

How do we solve for all of this? I don't see it happening on this forum.

The best solution I've found is "Bounty Hunter" programs - i.e. the main sites everyone uses, but that's not fair either. The payers decide if the found bug is worth it (for bounties) and decide themselves how much to pay.

theres never going to be a perfect system. theres always going to be exit scams, and mainstream bug bounty programs have their own problems. for example, bounty hunters dont really have the ability to improve security in the way the companies running the bounty programs would hope. thats partly due to skill level and partly due to incentives. point is, there is never going to be a perfect rep system and it shouldnt even be attempted, instead i think real results should be used as a metric for rep. if rep is risky/hard to obtain, then that makes it more valuable which makes it less likely it'll be abused. the middleman service will still be an important aspect ofc.

(September 15, 2022, 06:18 PM)SweetDreams Wrote:

(September 15, 2022, 12:41 PM)blackplatypus Wrote: Good idea. But it's the same problem as always on Breached or RF.

Scammers. Either you don't get paid or you don't get the job done to your satisfaction. As a one-off job, it's in both parties interests to take and not give anything.

Enter ESCROW accounts + third party ARBITRATION to decide if the job was done to the requirements specified.

For certain private things that you don't really want more people privy to, it doesn't work.
Arbitrators tend to also want to be paid
Escrow accounts can be scams unto themselves (escrow account provider and scammer are one and the same)

How do we solve for all of this? I don't see it happening on this forum.

The best solution I've found is "Bounty Hunter" programs - i.e. the main sites everyone uses, but that's not fair either. The payers decide if the found bug is worth it (for bounties) and decide themselves how much to pay.

theres never going to be a perfect system. theres always going to be exit scams, and mainstream bug bounty programs have their own problems. for example, bounty hunters dont really have the ability to improve security in the way the companies running the bounty programs would hope. thats partly due to skill level and partly due to incentives. point is, there is never going to be a perfect rep system and it shouldnt even be attempted, instead i think real results should be used as a metric for rep. if rep is risky/hard to obtain, then that makes it more valuable which makes it less likely it'll be abused. the middleman service will still be an important aspect ofc.

One bug bounty program triager was found stealing reported vulnerabilities from reporters and cashing in last month

Yes please! I support

+support

sounds like an exquisite suggestion +support

Scams are always a problem but there's lots of good people too. I did a number of small jobs for people on RF and always got paid and the people were happy with my programming or database parsing work.

+Support would be great to have a section like that but with escrow only