On 7/14/25 17:21, Daniel Stenberg via curl-library wrote: > On Mon, 14 Jul 2025, Patrick Monnerat via curl-library wrote: > >> An idea: drop hackerone (it advertises the project bounties too much) and go >> back to the curl-security mailing list :-) > > We discussed this today briefly and we more or less agreed to hold off a bit > and see how it develops the coming months before we do anything. Possibly the > bounty has served it purposes now and should be abandoned to remove that > incentive for the "sloppers". > > If we stop the bounty then there would be no point in sticking to HackerOne. > > If we leave HackerOne, there might be a better idea to instead switch to > using > the vulnerability handling on GitHub instead of going back to the plain > mailing list. Partly because we get a few features on github (like private > repo, plus people don't like mail) and partly because spam filtering on the > mailing list is annonying to manage already. > > But again: we don't do anything just yet. We keep it as-is for a while more > and watch how it goes.
Could there be some sort of up-front bond requirement to reduce spam reports? There have been a few times I have reported something as a security issue that turned out not to be, but that was usually because of legitimate disagreement over whether an issue turned out to be a security issue. -- Sincerely, Demi Marie Obenour (she/her/hers)
OpenPGP_0xB288B55FFF9C22C1.asc
Description: OpenPGP public key
OpenPGP_signature.asc
Description: OpenPGP digital signature
-- Unsubscribe: https://lists.haxx.se/mailman/listinfo/curl-library Etiquette: https://curl.se/mail/etiquette.html
