Add a submission fee that gets refunded as part of the bounty payout, or if the reviewer otherwise judges the submission as obviously legitimate.
Donate all fee proceeds to charity, if you want to counter the any incentive to deny submissions for financial gain.
Oh that is a surprisingly good idea actually.
In the blog post, Daniel does discuss why that is a heavy handed approach:
People mention charging a fee for the right to submit a security vulnerability (that could be paid back if a proper report). That would probably slow them down significantly sure, but it seems like a rather hostile way for an Open Source project that aims to be as open and available as possible. Not to mention that we don’t have any current infrastructure setup for this – and neither does HackerOne. And managing money is painful.
Paying out money to people who send in bug reports is probably the main problem because it incentivizes them to use AI and send in as many as possible throwing everything against the wall and hoping that something sticks and they get a payout. While this was a good method before AI, now with AI being able to produce reasonable sounding text he needs to stop the money transfer, otherwise they will drown in reports and this number of 5% will get way lower.
