Subject: Re: Bug Bounties. Making $ from bugzilla.
From: Greg Broiles <>
Date: Sun, 25 Nov 2001 11:19:06 -0800

At 01:59 AM 11/25/2001 -0800, Kevin A. Burton wrote:

>Alice logs into the Bug Bounty system (theoretical name only of course) and
>posts a $20 bounty into the system which holds it in escrow.
>It turns out that a lot of other people agree so Carol puts in another $20.
>Bob logs into the Bug Bounty system, sees the bounty, fixes the bug and 
>the patch.
>A 3rd party logs in to the system to approve the bounty (it is approved), 
>and Carol get the patch integrated into the next version upgrade (in a few
>weeks) and Bob gets the $40.00.

Why bother with the third party in the first place? Why not make this look 
more like a very tiny software development project, a la -

Alice says she will pay $40 to someone who will make "foo" software 
start/stop doing "blah".

Bob says he will do it.

Both parties can choose to conduct their negotiations in public, if they 
would like to be able to refer to those negotiations when talking to others 
about their outcome. Or they can conduct them in private, if they value 
their privacy over accountability.

Bob produces the patch - again, he can deliver it in public, if he wants to 
maximize the public appearance of his good work, or in private, if it's 
important to him or Alice that they keep the code private.

Alice pays Bob. (or doesn't, and Bob complains in public.)

Alice and Bob's reputations are adjusted accordingly, by anyone who cares 
to pay attention, which will affect their ability in the future to gain 
attention (when proposing projects) or accepted projects .. more or less 
just like the way things work in the ordinary (boring) world of real life, 
modulo that this circa Usenet-era tech vision leverages the net and search 
engines to gain wider distribution of information about projects and their 

I don't see the need for lots of complicated referee'ing and 
branching/forking. If the resulting patch is license-compatible with the 
original package, the maintainers can incorporate it if they like it. If 
not, then .. no.

Greg Broiles -- -- PGP 0x26E4488c or 0x94245961
4000 dead in NYC? National tragedy.
1000 detained incommunicado without trial, expanded surveillance? National