Early anecdotal data: turning off the bug-bounty may not make much difference... 😱

@bagder they do it for the love of the game 😂

@bagder People probably pay less attention than you think (this is a general rule of thumb of mine), they may still assume there is monetary reward even without H1. IMO you should give it some time.

@buherator yes, we need to give this time to settle in so this is for sure not a certain observation just yet

@bagder I did not follow this very closely, but my optimistic approach would that that the AI bots still come in because they did not yet find the information that the bug bounty was discontinued. Maybe it some humans need to remove it from a list of go to repositories?

@bagder We never had a bounty program for @weblate and still we get quite some AI slop security reports. In addition, we also get questions on whether we will have a bounty program from the people who submitted AI slop.

@buherator @bagder I never even had a bug bounty for OctoPrint and yet I get slop (or crap) reports and beg bounty mails. But I used to be forced into huntr.dev, which at it's start handed out money for accepted issues in open source projects, and I slid into the CTO's DMs to get out of there as that definitely increased the amount of crap. So from my experience, not having a bounty program doesn't offer full protection against slop DDOS attacks, but it certainly helps long term.

@foosel @buherator @bagder I don't know whether "beg bounty" is a typo, but it's funny

@bagder even before the LLM craze, people were spamming security contacts. If it keeps being a problem you could require reports to be GPG encrypted (assuming it's email).

Of course, this depends on whether you are okay with causing friction to legitimate reporters - I always looked for a PGP key when reporting but n-1 sample size.

@oxyte @foosel @buherator @bagder https://www.troyhunt.com/beg-bounties/

@buherator @bagder @oxyte Not a typo, definition see other reply 😉

@foosel @buherator @bagder Read it already. You learn something new everyday, huh

@oxyte @buherator @bagder Be glad you learned about it this way and not by being on the receiving end of it, repeatedly...

I actually have a growing email filter that's now 11 addresses long for one and the same guy who keeps spamming my mail account with generic AF security reports about "the application" every other week. I tried talking to him in the beginning, linked to OctoPrint's security policy, explained that there's no bounty. No response, just more "reports". Now straight to spam.