Subject: Re: Bug Bounties. Making $ from bugzilla.
From: burton@openprivacy.org (Kevin A. Burton)
Date: 25 Nov 2001 15:55:13 -0800

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

"Jonathan S. Shapiro" <shap@eros-os.org> writes:

> > What's Bob's incentive to provide the patch speedily?  Why wouldn't
> > all the Bob's of the system wait until the bounty stops going up?
> 
> Bob is in competition with Bob', and it's an all or nothing game. What is
> needed here is a mechanism for Bob to say "I'm fixing it, and I need X hours",
> gaining a time-limited exclusive on the contract.

That certainly is possible... but is it a good idea?

Maybe only someone certified at a certain level should be able to do this.

AKA

"I am fixing it but in order to do it RIGHT I have to fix X other bugs first.
Give me a week"

> The problem with the mechanism as described so far is that there is no process
> for determining whether the fix is a "good" fix. Somebody knowledgeable about
> the software actually needs to vet the change.

There would need to be a feedback mechanism.... AKA if someone submits a junk
patch this will reflect his certification level in the future.

> However, this can be solved by endorsement models as well. The project can
> identify several people who it believes are reasonable vetters of changes.
> Individuals can also say "I have this bug, and I'll believe it's fixed when
> one of {Fred, Mary, Jane, * recommended by project} say so." The vetting party
> needs to get a percentage of the take.

Actually... that isn't a bad idea.

> Beyond that, however, I see a flaw.
> 
> If I recall correctly, it was the experience of Cygnus that most patches
> supplied were undesirable,

Not my experience.  The problem with Cygnus was they did not have an Open
Development Model at the time (as open as it is today).

Thus patches came in "blind" without discussing them with project leads and
other experts.

I would say that most patches to Open projects such as Apache range on the 80%
level.

... I would probably say this is 40% or so for the Linux kernel.... 

But then you can always patch your kernel until they are approved.

> in that they tended to point the way toward the right solution but were not
> themselves the right solution. I have a vague recollection that Mike or John
> Gilmore tols me at one point that there were only 10 or 15 outside people
> whose patches they found could routinely just be applied. This leads me to
> wonder what quality level the bug bounty could generate.

Only an implementation would say for sure? :).

My guess is that they would either go up or down.  I doubt they would stay the
same.

... but I do like the "prefered bug hunters" idea.  :)  

> I therefore think further tinkering in the payment model is likely to be
> needed. One possibility is for the vetting party to be able to say "Bob has
> supplied a fix. It's a workaround, but it's not the right workaround because
> of X, Y, Z. We're going to award Bob 20%, but we're not going to endorse the
> change as an official change."

Or we could have Bob preserve his reputation by SAYING that it is a workaround.
This way he could get 80% or 70% (or whatever is agreed upon).

After this thread is over I will serialize all the thoughts...

Kevin

- -- 
Kevin A. Burton ( burton@apache.org, burton@openprivacy.org, burtonator@acm.org )
             Location - San Francisco, CA, Cell - 415.595.9965
        Jabber - burtonator@jabber.org,  Web - http://relativity.yi.org/

'We feel that there are real opportunities with evil, and that when evil is
integrated it into our next generation of Windows products consumers will
[Prince of Darkness] appreciate evil on their desktop,' said Microsoft Chairman
Bill Gates.  'Businesses haven't been able to fully realize their evil
potential.  With evil integrated into Office 2001, corporations big and small
will begin to see enhanced evil productivity.'
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: Get my public key at: http://relativity.yi.org/pgpkey.txt

iD8DBQE8AWdCAwM6xb2dfE0RAt6HAKDBZovwShAST1SQjTxLwAk1grGcIgCffO+p
ItOEkOqWxpFLas2X6xtiXlo=
=b4My
-----END PGP SIGNATURE-----