Subject: FIRE!!! (was Re: Bug Bounties. Making $ from bugzilla.)
From: "Karsten M. Self" <>
Date: Sun, 25 Nov 2001 22:52:49 -0800
Sun, 25 Nov 2001 22:52:49 -0800
on Sun, Nov 25, 2001 at 01:59:14AM -0800, Kevin A. Burton ( wrote:
> Hash: SHA1
> OK.
> Just thinking off the top of my head.  Has anyone talked about this
> before?  I am sure I am not the first...
> Alice needs a bug fixed in her favorite OSS project.  Alice and Bob
> don't know each other but Bob knows a LOT about that project and could
> fix the bug in a few minutes but he has other things that are more
> important....
> Alice logs into the Bug Bounty system (theoretical name only of
> course) and posts a $20 bounty into the system which holds it in
> escrow.
> It turns out that a lot of other people agree so Carol puts in another
> $20.
> Bob logs into the Bug Bounty system, sees the bounty, fixes the bug
> and uploads the patch.
> A 3rd party logs in to the system to approve the bounty (it is
> approved), Alice and Carol get the patch integrated into the next
> version upgrade (in a few weeks) and Bob gets the $40.00.
> ... of course the devil is in the details. :)
> The 3rd party would have to be paid.  Maybe an agreed percentage.  If
> Bob has a good reputation maybe he wouldn't need the 3rd party.
> Thoughts?  Criticism?

The fundamental problem with this proposal is that it's paying firemen
for piecework:  for putting out fires.  There's a word for that, nearly
rhymes with my name.

More to the point, we're building a relationship between architects /
building maitainers, on the one hand, and firemen on the other.

There's a reason why fire districts are not paid on this basis.  It's
the same reason why this idea is fundamentally flawed.  Kevin seems to
want very much to believe that this isn't the case.  Beggar's horse,

Public financing of law enforcement hasn't reached the same level of
awareness of incentive perversions yet (though we're getting there).
Consequently we have "preformance measures" such as speed traps, asset
siezure and forfeiture, "tourist traps" (and we're not talking
Fisherman's Warf), and related "war booty" financing to greater or
lesser extents of police actions.  And there's a sizeable literature of
legal and economic (and multidisciplinary) criticism of such practices.

A debugging squad is something like a fire department:  the objective of
the group is to put out fires when they're found.   The groundwork is
laid by establishing (and adhering to, which means enforcing)
architectural standards, backed by routine preventive measures and
inspections.  Expenditures on emergency personnel are rated by the risks
and payoffs associated.  Different jurisdictions have different forms of
organization:  there are permanent, full-time, salaried fire
departments, and there are volunteers.  There are also smokejumpers and
emergency rescue personnel trained for specific, rare, and widely
distributed incidents.  And there's the rare special consultant who is
brought in to direct actions (or cleanup and recovery) when
one-of-a-kind expertise is called for.

I'd look at a software response model that was aligned along similar


Karsten M. Self <>
 What part of "Gestalt" don't you understand?             Home of the brave                   Land of the free
   Free Dmitry! Boycott Adobe! Repeal the DMCA!
Geek for Hire           

["application/pgp-signature" not shown]