I've worked on a large federated IP reputation system. It sounds like a great idea, but does not work in practice.
The main problem is that it's just too hard to map different kinds of abusive/non-abusive actions to a shared scale. The model here seems to be basically a boolean OR: if anyone flagged an IP as bad, it's marked as bad in the data set. Let's say that you're running a shop and detect a bunch of fraudulent transactions for expensive items, and add the IPs to the list. What can somebody else using this list for say spam-filtering comments to a web forum do with your data points in isolation? Not much, because the action you're protecting is rare, high impact, and unlikely to have FPs so the threshold where you'd mark the IP as abusive would be very different than for the spam-filter use case.
At a minimum you'd need all the client of the IP reputation signal to also share the positive reputation signals, not just the negative, and to export some forms of volumes or ratios of good and bad traffic. But it'll still be really hard to combine those reports to a single verdict that's generally useful.
A secondary problem is that different kinds of abuse don't even correlate particularly well. Let's say that you've got an IP address sending SMTP spam; the odds are that this IP will not be doing ssh credential stuffing, credit card fraud, mass-scraping, traffic pumping, warez distribution, or DDOS attacks.
The classic SMTP IP blocklists work only because everyone using them is using them for the same purpose, and is as such on a shared scale, and there is a high likelihood of the same abusive actor attacking multiple different organizations. Your example would fit that as well, and doing reputation for that one domain would actually tractable unlike federated cross-domain IP reputation.
The main problem is that it's just too hard to map different kinds of abusive/non-abusive actions to a shared scale. The model here seems to be basically a boolean OR: if anyone flagged an IP as bad, it's marked as bad in the data set. Let's say that you're running a shop and detect a bunch of fraudulent transactions for expensive items, and add the IPs to the list. What can somebody else using this list for say spam-filtering comments to a web forum do with your data points in isolation? Not much, because the action you're protecting is rare, high impact, and unlikely to have FPs so the threshold where you'd mark the IP as abusive would be very different than for the spam-filter use case.
At a minimum you'd need all the client of the IP reputation signal to also share the positive reputation signals, not just the negative, and to export some forms of volumes or ratios of good and bad traffic. But it'll still be really hard to combine those reports to a single verdict that's generally useful.
A secondary problem is that different kinds of abuse don't even correlate particularly well. Let's say that you've got an IP address sending SMTP spam; the odds are that this IP will not be doing ssh credential stuffing, credit card fraud, mass-scraping, traffic pumping, warez distribution, or DDOS attacks.
The classic SMTP IP blocklists work only because everyone using them is using them for the same purpose, and is as such on a shared scale, and there is a high likelihood of the same abusive actor attacking multiple different organizations. Your example would fit that as well, and doing reputation for that one domain would actually tractable unlike federated cross-domain IP reputation.