Subject: Re: Bug Bounties. Making $ from bugzilla.
From: "Karsten M. Self" <kmself@ix.netcom.com>
Date: Sun, 25 Nov 2001 14:12:33 -0800
Sun, 25 Nov 2001 14:12:33 -0800
on Sun, Nov 25, 2001 at 12:56:03PM -0800, Ian Lance Taylor (ian@airs.com) wrote:
> burton@openprivacy.org (Kevin A. Burton) writes:
> 
> > > If they are an expert on that software, mightn't they be the ones that are
> > > doing the fixing?  That would create a conflict of interest.
> > <snip>
> > 
> > I am confused by this last sentence.  I wouldn't have a problem with an expert
> > getting paid to fix bugs.
> 
> If I am an expert in the software, I insert a set of bugs into a
> release, and I prepare patches in advance.  Then I wait for people to
> offer money to fix them, and I release the patches.
> 
> People used to routinely argue that Cygnus had a strong incentive to
> do this.  They were wrong, for two reasons: 1) we didn't have to
> intentionally insert extra bugs; we inserted plenty by mistake; 2) our
> real competitors were not other free software support shops, but other
> companies which provided alternative embedded development tools, so if
> we shipped a buggy product, people would switch away from free
> software and we would get no repeat business.
> 
> In the bug bounty system, reason 1 still exists, but reason 2 does
> not.

Bug bounties are potentially quite harmful in this regard.  They work
where the development, bugfixing, and project management are tightly
integrated.  TeX comes to mind.  In this case, it's a bounty paid by
Knuth to anyone who finds a bug in TeX.  The bounty has been rarely
paid.

In a larger, more complex organization, a similar scheme would
create a significant moral hazard (economics / insurance term).  A
developer could collaborate with one or more confederates on the outside
to seed a product with bugs, for which bounties are paid on discovery.

In Knuth's case, loss and benefit both accrue directly to him.  In the
corporate case (the context I first pointed this problem out in involved
Microsoft -- which probably has its own issues in assessing developer
loyalties given a long history of illegal monopolistic business
practices), costs (drafts on the corporate treasury) and benefits
(bounties paid to bug discoverers) accrue differentially.  Checks would
have to be put in place to to curb bias and abuse.

The bounty suggestion posed here is probably less inherently pervertable
as the corporate case, but the system would have to be examined very
carefully and continually monitored.

Peace.

-- 
Karsten M. Self <kmself@ix.netcom.com>       http://kmself.home.netcom.com/
 What part of "Gestalt" don't you understand?             Home of the brave
  http://gestalt-system.sourceforge.net/                   Land of the free
   Free Dmitry! Boycott Adobe! Repeal the DMCA! http://www.freesklyarov.org
Geek for Hire                     http://kmself.home.netcom.com/resume.html


["application/pgp-signature" not shown]