search

418sec / huntr

Public Roadmap | huntr.dev
https://huntr.dev
263 stars 90 forks source link

Suggestion for a more fair bounty system #2144

Closed Haxatron closed 2 years ago

Haxatron commented 2 years ago

Regarding the new bounty system, I think a better way to implement this would be to do a tiered system where the maintainer rates the severity of a bug using CVSS instead (ie. 0.5x disclosure amount for Low, 1x for Medium, 1.5-2x High, 2-2.5x Critical) this would average out the bounties to 1x and incentivise pursuit of more critical vulns. This would allow researchers to dispute severity unlike the current system where it may be more sensitive to dispute the monetary amount.

I feel like maintainers should not be in direct control of how much XX money to allocate to the report as it may introduce some biases (ie. Why is this security researcher earning so much for a vuln which was simple to find but critical?) and may result in them not awarding appropriately.

If you want to award more quality reports, you can also ask them to do a survey that assesses a reports quality and rewards the researcher based on the results of the survey, without telling the maintainers that the survey affects bounty amount.

jaapmarcus commented 2 years ago

Then you might get problems where users are going to give higher CVSS then is necessary and the objection against is was also maintainers might not know how it works see https://github.com/418sec/huntr/discussions/2139#discussioncomment-1361887

Haxatron commented 2 years ago

Perhaps one of the factors in determining bounty amount will be CVSS accuracy with the maintainers?

The CVSS can be simplified into questions, for instance when asking on the confidentiality:

What is the amount of sensitive information a hacker can possibly gain by exploiting this vulnerability?

[] None [] Low [] High

I think maintainers should use a 'proxy' to determine the monetary amount, rather than the monetary amount directly. In this way, in the case of any disputes, it is easier to discuss severity rather than monetary amount, where it may be too arbitrary

mvz commented 2 years ago

I think maintainers should use a 'proxy' to determine the monetary amount, rather than the monetary amount directly. In this way, in the case of any disputes, it is easier to discuss severity rather than monetary amount, where it may be too arbitrary

As a maintainer, I agree. I have just started getting some reports through huntr and I'm at a complete loss regarding how to reward them.

psmoros commented 2 years ago

Hey everyone! We have deprecated the feature that allowed maintainers to chose the bounty amount for researchers and we now have a "tiered system" as @Haxatron suggested but instead of CVSS we use CWEs as a basis to weight criticality.

I will consider this issue resolved but feel free to reopen it if you feel that something's still outstanding.