Subject: Re: Bug Bounties. Making $ from bugzilla.
From: "Karsten M. Self" <kmself@ix.netcom.com>
Date: Sun, 25 Nov 2001 22:35:13 -0800
Sun, 25 Nov 2001 22:35:13 -0800
on Sun, Nov 25, 2001 at 04:04:27PM -0800, Kevin A. Burton (burton@openprivacy.org) wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> "Karsten M. Self" <kmself@ix.netcom.com> writes:
> 
> > on Sun, Nov 25, 2001 at 12:56:03PM -0800, Ian Lance Taylor (ian@airs.com) wrote:
> > > burton@openprivacy.org (Kevin A. Burton) writes:

> > Bug bounties are potentially quite harmful in this regard.  They
> > work where the development, bugfixing, and project management are
> > tightly integrated.  TeX comes to mind.  In this case, it's a bounty
> > paid by Knuth to anyone who finds a bug in TeX.  The bounty has been
> > rarely paid.
> 
> How many claims has there been?  If I remember correctly the bounty is
> less than $5.00...

For background, see:

    http://www-cs-faculty.stanford.edu/~knuth/abcde.html

In the case of TAOCP, the reward is $2.54 for each significant error.

In the case of TeX, the program, the current bug award is $327.68, as
Ian noted.  This would indicate fifteen errors (2^15 * 0.01), with an
initial reward of one penny.  Don checks periodically for new errors,
the next scheduled reviews are 2002, 2007, 2013, and 2020.

The version number of TeX converges on pi.  It is currently 3.14159.

More significantly, the point is that Don Knuth, like Daniel J.
Bernstein, writes correct code.  There are some small errors of
execution, but rarely errors of design (I'm not addressing compatibility
here, which is another story).

> > In a larger, more complex organization, a similar scheme would
> > create a significant moral hazard (economics / insurance term).  A
> > developer could collaborate with one or more confederates on the
> > outside to seed a product with bugs, for which bounties are paid on
> > discovery.
> 
> Of course this would only work in a closed system.  Remember just
> because someone introduces bugs doesn't mean that they aren't fixed
> for $0.0 by other contributors.

That wasn't the problem I was discussing, though it's another issue with
such systems.  The Web-based answer service someone brought up on this
thread is another instance.  I subscribed after being told of it by a
friend whose opinions I generally consider, if not always respect.  I
found the quality of questions, let alone answers, to be barely worth my
time.  I'd rather hand out a free clue than be bothered with the
mechanations of the system, in this case.  The service has since folded.

> Also... there would be a SEVERE punishment if anyone was found doing
> this.

Punishment predicates:

  - Monitoring.
  - Adjudication.
  - Actionable penalty.

You no longer have a lightweight system.

> > In Knuth's case, loss and benefit both accrue directly to him.  In
> > the corporate case (the context I first pointed this problem out in
> > involved Microsoft -- which probably has its own issues in assessing
> > developer loyalties given a long history of illegal monopolistic
> > business practices), costs (drafts on the corporate treasury) and
> > benefits (bounties paid to bug discoverers) accrue differentially.
> > Checks would have to be put in place to to curb bias and abuse.
> 
> This is a noop.  Society already has this.  It is called reputation.

Oh.  I guess confidence games, boiler rooms, and late-night PI law
commercials are a figment of someone's imagination.

You've just displayed a charming level of naivete.  If this is your
actual perspective on the topic, it appears you're dismissing this
possibility entirely.  At which point my interest in the proposal drops
markedly.

> What is stopping Linus from adding horrible bugs into the Linux kernel
> and then fixing them.  If he did he would appear like a GOD (of course
> a lot of people think he already is but this is beside the point)

You mean like 2.4.15?  Talk about bone-headed...

There's no incentive to him currently to fix bugs, or seed them.  Your
system introduces just such an incentive.

Peace.

-- 
Karsten M. Self <kmself@ix.netcom.com>       http://kmself.home.netcom.com/
 What part of "Gestalt" don't you understand?             Home of the brave
  http://gestalt-system.sourceforge.net/                   Land of the free
   Free Dmitry! Boycott Adobe! Repeal the DMCA! http://www.freesklyarov.org
Geek for Hire                     http://kmself.home.netcom.com/resume.html


["application/pgp-signature" not shown]