Conversation

Replying to
urg, my (very limited) experience with bug bounties is bad but in general the reporter always has the disadvantage. Don't get me wrong I think reporting bugs to get them fixed is awesome. Sucks! PS: I think bug bounties need an automatic payout if they "accept" the report.
1
Replying to and
The main issue I have with Google's bug bounty program is that they often mark my reports as duplicates but I can't see information on the supposed original issue to confirm anything. In some cases, many months pass with no solution and it's possible they mistakenly closed it.
2
Once it's closed as a duplicate, you get no further updates on whether they're still working on it and preparing to ship a fix. You don't exactly get great information otherwise, but if it's closed as a duplicate you have absolutely no more updates on what's happening.
1
We're generally reporting issues because we found them as part of developing GrapheneOS and need to ship a fix for it. If it's a problem in the OS rather than firmware or hardware, we can ship a fix ourselves. Doesn't make sense to wait months for them especially without comms.
1
Main incentive to bother reporting anything we can fix ourselves is not the bug bounty but rather offloading the work of fixing issues to them. If it takes them 120+ days to fix the kinds of issues we report, then that's not a particularly good way of getting anything done.