In good faith or otherwise, the site demands you assume good faith of the people you're arguing with. You cannot do that while calling people's statements "motivated". I speak with some authority on Latacora's "motivations". You're wrong about them (rather the opposite motivation exists), but that's besides the point: they aren't in bounds for discussion here. It would be similarly unfair for me to go look you up and call your affiliations into question.
You're wrong, quite obviously, about other things too. For instance: 'It is in the interest of nobody involved to submit "dubious" bug bounty reports'. In reality, the quality of bug bounty reports across all these platforms is a running industry joke. It's hard to believe anyone could run a public bounty program and believe that bogus reports were not a norm. They're practically all you get.
(I laughed audibly at the sentence in your post where you implied that P0 and Bugcrowd were organizations of similar stature and repute).
> In good faith or otherwise, the site demands you assume good faith of the people you're arguing with. You cannot do that while calling people's statements "motivated".
So what I'm hearing you say is that a quoted person's motivations aren't up for discussion in the comments section when they're posted as an article on this site.
> It would be similarly unfair for me to go look you up and call your affiliations into question.
That's totally fine, I follow you on twitter, you can look up my linkedin, I'm not exactly making a secret of anything here.
> In reality, the quality of bug bounty reports across all these platforms is a running industry joke.
Maybe internally amongst the incumbents but the industry is growing.
> I laughed audibly at the sentence in your post where you implied that P0 and Bugcrowd were organizations of similar stature and repute.
I don't understand how you got that out of me saying I can understand why both those groups refused to talk to this journalist.
The "industry" has had many years to grow, and what I see recently is the same as what I saw years ago: DKIM spam and redirect filter bypasses for long-defunct versions of Firefox.
I am not aware of any shift in the perception of bounty submission quality, where people in the field are now saying "huh, suddenly the bounty inbounds we're getting tend to be legitimate and interesting". If that were happening, it would be newsworthy.
> I am not aware of any shift in the perception of bounty submission quality,
Sure, we agree on that, but that doesn't mean these companies aren't growing - let me be more explicit here - financially.
It'll be newsworthy if the perception "in the field" of required bounty submission quality doesn't match what clients will actually happily accept and pay out, won't it?
I see you trying to walk this back, but to be clear: you wrote pretty directly as if there was no incentive for bounty participants to submit bogus bounty reports --- practically in those words --- and, obviously, the exact opposite is self-evidently true to anyone who has ever managed a bounty program.
You could have just written that the article was bad. You'd have been right! But instead you wrote a long comment about how everybody quoted in the piece was talking their book, and then doubled down with some crazy assertions.
It isn't in bounty hunter's interest to submit bogus reports. Where have I said it doesn't happen, regardless?
I even said at one point, in response to you, directly:
> That makes it even less attractive for bounty hunters to spam low-quality reports.
The "less" there definitely doesn't imply that there are no low-quality reports. Bounty hunters absolutely spam low-quality reports, and there are consequences for that.
Sorry if that wasn't clear.
> But instead you wrote a long comment about how everybody quoted in the piece was talking their book,
Two people and the author. "Everybody" is hyperbolic and I think the article makes some good points.
> crazy assertions
Didn't you think I consider GOOGLE's Project Zero to be an equivalent organisation to Bugcrowd?
Were you suggesting it was against the rules to question the motivation of people quoted in articles on hackernews?
(Full disclosure: I am the Latacora person quoted in the article. While I didn't coordinate my quote w/ Latacora and speak only for myself, I've documented elsewhere in the comments[0] why I think the idea that Latacora and by proxy I would stand to financially benefit from HackerOne failing doesn't hold water, so I won't repeat that here, but I'm happy to have that argument there if you'd like.)
> It isn't in bounty hunter's interest to submit bogus reports. Where have I said it doesn't happen, regardless?
They clearly do: companies pay out for (and H1 triage regularly fails to filter) complete nonsense findings to the tune of several hundreds of dollars or more. If you can weaponize that process, you can make a decent chunk of change.
There's also no real reputational damage, as long as it remains trivial to Sybil all of the platforms. The platforms are disincentivized to stop that, because anecdotally "number of hackers on platform" is a stat that plays really well in their sales process, and it's a drum they beat loudly.
Finally, if you agree that it happens all the time, why do people keep doing that if it is truly against their interests?
> The platforms are disincentivized to stop that, because anecdotally "number of hackers on platform" is a stat that plays really well in their sales process, and it's a drum they beat loudly.
Anecdotally, the "number of hackers on platform" number is a statistic that causes consternation within the bug bounty community, specifically the number spruiked by some players.
> They clearly do: companies pay out for (and H1 triage regularly fails to filter) complete nonsense findings to the tune of several hundreds of dollars or more.
I said this elsewhere:
> I think this perception might be because H1 didn't provide triaging for a while, but I think the situation is much better now.
I'm absolutely sure there are still issues. I can't speak to the H1 process because I've never worked with it.
I'm not here to wildly gesticulate at H1 like they're bad, though. I want them to do well. But have you tried Bugcrowd? I hear its laughable to compare them to Google Project Zero, but they've been nice to me, so yeah.
I don't think either you or your colleague are really owed any gentleness from me at this point, so:
I think you should both expect people to question your motivations if you get quoted in articles about another section of your own industry.
I think you're both incredibly naive if you think bug bounty providers are systemically benefitting from the reputational damage the perception, that bug bounty reports are automatically generated script-kiddie outputs, delivers.
I also think that you both need to cultivate a rudimentary understanding of how journalism works. Journalists are paid, almost entirely, by advertisers. Journalists get information from their contacts in the industry. Call of Duty gets great reviews in part because game journalists want to keep getting invited back to events, and because they know the ads for the game aren't likely to run next to a negative review.
Hey, perhaps you did legitimately believe what you said in the article. But the journalist involved was motivated by many other things, and you may have been a useful... uhhh... something-or-other in the service of their greater agenda, keeping their advertisers coming back. Who would advertise on a website called CSO online, you ask....?
I think we can both agree that people on bb platforms can be total amateurs. Gotta start somewhere.
I have no idea if bounty providers are benefiting from the spray-and-pray bogus submissions that characterize the majority of all bounty submissions. I rather expect that they aren't, and that they're a scourge for everyone involved (other than the sprayers themselves).
But you didn't say "these submissions are bad". You said no incentive caused them to exist at all. As I've said repeatedly, without even a faint rebuttal: you can't ever have managed a bug bounty program and believe that statement is true. It is a crazy thing to say.
I honestly don't give a shit about "CSO Online" (I had no idea anyone from Latacora was quoted in it). As you saw upthread: I think this is a dumb article. But your response to it managed, somehow, to be even dumber, and that's what we're litigating now.
Could you, the guy who assumed I was directly comparing a relatively small startup with Google and uproariously laughed at that comparison, quote me on where I said "no incentive caused them to exist at all"?
Could you maybe give this a rest? The continued presumption of bad faith is objectionable and not consistent with expected standards of this site. And it is boring.
You're wrong, quite obviously, about other things too. For instance: 'It is in the interest of nobody involved to submit "dubious" bug bounty reports'. In reality, the quality of bug bounty reports across all these platforms is a running industry joke. It's hard to believe anyone could run a public bounty program and believe that bogus reports were not a norm. They're practically all you get.
(I laughed audibly at the sentence in your post where you implied that P0 and Bugcrowd were organizations of similar stature and repute).