b1nslashsh
commented
2 years ago That will be a nice move 😄🙌
Open michaellrowley opened 3 years ago
b1nslashsh
commented
2 years ago That will be a nice move 😄🙌
JamieSlome
commented
2 years ago @michaellrowley - thank you for the suggestion and apologies for the delay in response 👏
We have discussed various means of awarding badges, and will be iterating on our leaderboard, XP and award mechanisms shortly!
I will keep you updated on the status of these works ❤️
Currently, Huntr implements what I'd call a 'bounty-allowance' (officially 'prize pots' IIRC) that stops paying for vulnerabilities after a certain amount of money has been paid out for a given repository until the next month.
While a good idea, this inadvertently promotes 'vulnerability hoarding' where researchers discover bugs, wait until the repository is eligible for pay-outs again, and then report them instead of reporting them as soon as they are discovered.
I'd suggest providing something similar to HackerOne's 'Good Samaritan' badge to researchers that report a threshold of non monetarily-eligible vulnerabilities so that researchers have a reason not to wait before disclosing, thus saving Huntr money (as they wouldn't need to pay out as much).