I’ve received quite a few reports from them for my open source projects (it seems once you respond to one, everyone piles on). Some of them are invalid, duplicate, or only involve configuration of a demo app but for the most part I have been OK with them. None of the reporters have “begged” me for anything yet and in something like 75% of the cases the result has been a small bug fix to my projects.
I’ve had enough interaction with them that I’ve even added a SECURITY.txt file referencing the program to some of my repos.
I won't say such a solution is without merit, by any means, but it lowers the barrier significantly to mass requests of bug bounties of increasingly trivial nature. Since the entity paying out has less knowledge of the product being reported on, it's arguably difficult for them to know if a bounty is justifiable, and since the developer isn't on the hook for the money, they have little incentive not to agree to pay out.
The combination to me feels like a recipe for a lot of payouts for dubious reports. And in at least one case, a request was made to mark a report as valid even though it wasn't really a security flaw or something that was going to be "fixed".
It's good to hear someone has had a positive experience though!
I’ve received quite a few reports from them for my open source projects (it seems once you respond to one, everyone piles on). Some of them are invalid, duplicate, or only involve configuration of a demo app but for the most part I have been OK with them. None of the reporters have “begged” me for anything yet and in something like 75% of the cases the result has been a small bug fix to my projects.
I’ve had enough interaction with them that I’ve even added a SECURITY.txt file referencing the program to some of my repos.