Open carakas opened 2 years ago
HDVinnie
commented
2 years ago I noticed a CSRF was $3.75 to fix for a single occurrence. However another CSRF disclosure on same repo with 15ish occurrences is still only $3.75 to fix.....seems odd....i would think it would be more incentive to the maintainer if the fix bounty also raised per occurrence like the disclosures do. Just my two cents.
Haxatron
commented
2 years ago As a researcher, when I bundle up my occurences, I see that the maintainer will get less money (because the prize pot will decrease) even though they have more to fix. So I agree that the fix bounty should match up to original vulnerability+occurence
jaapmarcus
commented
2 years ago I think it is fair to calculate the fix bonus based on the number occurrences + current fix bonuses..
Is your feature request related to a problem? Please describe. I'm always frustrated when I get a low-quality report that takes a lot of time to fix but a huge part of the bounty still goes to the reporter.
Describe the solution you'd like A better way of balancing the bounties, either automatically or manually based on the quality of the report and time needed for the fix.
Describe alternatives you've considered Split the bounties half-half again like it used to be