
Show HN: BountyGraph: Crowdfunded Bug Bounties and Security Audits - justicz
https://justi.cz/bountygraph/2018/08/01/introducing-bountygraph.html
======
tptacek
One problem with this is that the corporate users who would fund a bounty
competitive with the grey market don't really care about the grey market. Some
of the bigger companies are even clients of the grey market, either through
threat intelligence feeds or even though exploit acquisition (for red
teaming).

Another issue is that for the vast majority of applications, the bounty pools
you seem to be considering are way, way too big. The $3000 Google & friends
will pay you through the IBB for serverside bugs is mostly a gift from them.
You should read things like the Zerodium payouts as "we might pay AS MUCH
AS...", and also know that when they say they'll pay "up to" $10k for RCE on
Roundcube, they mean literally: RCE, and has to be Roundcube. They won't pay
you for XSS and they won't pay you for an RCE in something _like_ Roundcube.

Your demo page shows a funding goal of $50,000... for BountyGraph. Not 1
HackerOne program in 10 is funded even to the tune of $20k, and those people
all run actual businesses.

~~~
Thriptic
> One problem with this is that the corporate users who would fund a bounty
> competitive with the grey market don't really care about the grey market.

Mind elaborating?

> Your demo page shows a funding goal of $50,000... for BountyGraph. Not 1
> HackerOne program in 10 is funded even to the tune of $20k, and those people
> all run actual businesses.

Sure, but in this case you're not relying on one business to fund the whole
bounty; theoretically many businesses would be pooling funds. If hundreds of
companies pledge small amounts, you are looking at real money being made
available.

~~~
tptacek
I feel like I did elaborate on the grey market point but if you have more
specific questions I'm happy to take a whack at them.

A big reason businesses don't put huge amounts of money into H1 bounties is
that the median H1 bounty payout is probably somewhere in the vicinity of
$100.

------
JustMatthew
The crowdfunded aspect is interesting, and I like how the total value
crowdfunded (i.e. the total bounty pot or pool) is displayed. That could serve
as powerful signal to attract bounty hunters.

That said, as a non-coder but an avid bounty setter and bounty hunter on
beta.cent.co, I am wondering if there aren't any other UX tweaks that could be
employed on BountyGraph to either attract and keep more bounty hunters or
participating corporate users/funders or both.

Specifically, the social aspect that Cent facilitates has resulted in a very
interesting general community that also functions as an army of on-demand
bounty hunters. I imagine something similar but tailored to the technical
bounty hunters your site will need could be spun up at a cost to be sure, but
a relatively small one compared to the value that attracting such an army of
bounty hunters could generate.

~~~
justicz
Hi, apologies for not replying to this last week when you originally posted
this!

I think this is really good feedback, and I agree it would be very cool to
build a community of hackers on BountyGraph. I'd really like to build a
"write-ups" feature into the site where users can post about interesting bugs
they've found. We haven't built a reputation system yet either, which is
definitely going to be important down the road.

Thanks for the feedback :)

~~~
JustMatthew
Very awesome to hear (err read). Looking forward to those updates. Cheers.

------
dee-see
Just a little UX note: I'm trying to register and I get a "Username is
invalid" error. I have a special character in it ("-") so I guess that's why,
but it would be a good idea to state your validity rules in the error message.

~~~
justicz
Thank you -- added to the to-do list :)

