Thanks, fpgaminer, for the great ideas! Generating a Q_b' is certainly an interesting idea, and yes, it does seem like I can simply use one of the already established methods for dividing up the bounty. An important point, though, we need to remember that miners can search for all the patterns simultaneously that belong to the same base public key. Just means passing a list of patterns back to the miner, though, and checking the returned Q_b' and offset against the entire list when they submit.

As for the bounty issue, my site allows submitters to click a "cancel bounty" button to have the bounty they submitted returned back to the address they sent from. This button is only accessible from a special link they receive after submitting the work, so anyone can't just go in and click cancel and wreak havoc.

To kontakt, yes, I have considered proxying work from other pools to allow miners to work on the best available work on any website at once. The drawback to this idea is that it requires a level of trust from the miner with my pool, because I could simply replace the payout address in the "solved work" with my own before sending the solution to the "proxied" pool, effectively stealing the bounty. Of course I wouldn't do this, but in cases of problems with the proxied pool, the miners would come knocking on my door. Not sure if it's worth the trouble to open that can of worms.

That said, replacing the payout address with my own could be the way to proxy the work AND turn it into an actual pooled implementation. That is, I want the entire bounty to be sent to my pool, then I will send out proportional bounty fractions to the miners that submitted proof-of-work. In that case, though, I would be left out in the cold if someone found the solution and submitted it directly to the proxied pool bypassing me. The Q_b' idea mostly avoids this, so still something to consider.

Thanks to both of you!