Subject: Bug insurance?
From: "Seth Gordon" <sethg@ropine.com>
Date: 27 Nov 2001 16:23:37 -0000

Here's an idea that's a sort of bastard offspring of SourceXchange and
Lloyd's of London.

Suppose Trent wants to organize a company that insures Apache users
against bugs and security holes.  He writes up a policy with
everything but the premium and amount of insurance filled in.  Then he
goes to Apache hackers (or their employers) and says, "If you're
willing to absorb part of the risk of paying claims, I'll give you a
cut of the premiums."  Alice, an independent consultant, puts up $10K.
Bob, who runs a larger consulting firm, puts up $50K.

Then Trent goes around looking for customers.  Carol signs up for $10K
worth of insurance; Dave signs up for $20K.  After Trent skims off his
administrative expenses, he divides Carol's remaining premium money
between Alice and Bob, and gives all of Dave's remaining premium money
to Bob.

If Dave encounters an Apache bug, and Trent determines that it's one
of the bugs that Dave is ensured against, he passes the bug report
along to Bob.  If Bob provides an adequate patch or workaround within
the time frame required by the policy, then Trent passes the patch
along to both Dave and the Apache maintainers.  If Bob doesn't do the
job, then he forfeits his $20K of his deposit money to Dave.

If Carol encounters a bug, Trent flips a coin to decide whether Alice
or Bob is responsible for fixing the bug, and the process proceeds as
above.

Can anyone who knows more about the insurance industry comment on this
scheme?

-- 
"...conventional economic concepts of scarcity apply to intellectual
activity.  For example, you are wasting all of our attention with this
extremist blather."  --Stephen J. Turnbull
== Seth Gordon == sethg@ropine.com == http://ropine.com/ == std. disclaimer ==