I've experienced the issue you're describing first-hand in CircuitDAO's security competition, where the judges had to go through hundreds of reports to ultimately declare only a few issues were valid. Requiring PoCs can help, but also (sometimes) translates to more work being required to submit valid reports - and, if you're not carefully reviewing the AI slop report, you're likely not going to review the AI slop PoC either (from my experience, chatbots seem to do 'simulations' in python, which are hard to follow/invalidate). I appreciated your point about scam bug bounty programs, which is a consequence of requiring fees I haven't considered before.
Interesting how they refer to there having been a penalty for wrong submissions in the past but the amount seems to be available nowhere on the web so although there's at least one org which has tried it my point about it being taboo stands. They do talk about $10 for an escalation which implies that the fees they were charging were very nominal. Requiring 20% of submissions be valid seems entirely reasonable but 2 valid bugs seems completely arbitrary. Maybe they're trying to stop people from doing the obvious workaround of making all submissions be from distinct bogus entities by requiring 2, but that would most definitely disqualify most of the valid submissions which I've gotten.
Dude you gifted bra. Your brain is telling you to do the right thing for people. Just like my brain is telling me to do the right thing for people and you.
I've experienced the issue you're describing first-hand in CircuitDAO's security competition, where the judges had to go through hundreds of reports to ultimately declare only a few issues were valid. Requiring PoCs can help, but also (sometimes) translates to more work being required to submit valid reports - and, if you're not carefully reviewing the AI slop report, you're likely not going to review the AI slop PoC either (from my experience, chatbots seem to do 'simulations' in python, which are hard to follow/invalidate). I appreciated your point about scam bug bounty programs, which is a consequence of requiring fees I haven't considered before.
I'm also a fan of Sherlock's payout criteria, which requires researchers to have at least 2 valid bugs and >20% of their total submissions to be valid. What do you think about that? https://docs.sherlock.xyz/audits/watsons/meeting-the-payout-criteria
Interesting how they refer to there having been a penalty for wrong submissions in the past but the amount seems to be available nowhere on the web so although there's at least one org which has tried it my point about it being taboo stands. They do talk about $10 for an escalation which implies that the fees they were charging were very nominal. Requiring 20% of submissions be valid seems entirely reasonable but 2 valid bugs seems completely arbitrary. Maybe they're trying to stop people from doing the obvious workaround of making all submissions be from distinct bogus entities by requiring 2, but that would most definitely disqualify most of the valid submissions which I've gotten.
Dude you gifted bra. Your brain is telling you to do the right thing for people. Just like my brain is telling me to do the right thing for people and you.
I suspect that charging a fee is going to be equivalent to just not having a bug bounty program.
Maybe we could have an AI reviewer as a first pass for bug bounty submissions.