Subject: Re: Bug Bounties. Making $ from bugzilla.
From: "Jonathan S. Shapiro" <shap@eros-os.org>
Date: Sun, 25 Nov 2001 12:31:11 -0500

> What's Bob's incentive to provide the patch speedily?  Why wouldn't
> all the Bob's of the system wait until the bounty stops going up?

Bob is in competition with Bob', and it's an all or nothing game. What is
needed here is a mechanism for Bob to say "I'm fixing it, and I need X
hours", gaining a time-limited exclusive on the contract.

The problem with the mechanism as described so far is that there is no
process for determining whether the fix is a "good" fix. Somebody
knowledgeable about the software actually needs to vet the change.

However, this can be solved by endorsement models as well. The project can
identify several people who it believes are reasonable vetters of changes.
Individuals can also say "I have this bug, and I'll believe it's fixed when
one of {Fred, Mary, Jane, * recommended by project} say so." The vetting
party needs to get a percentage of the take.

Beyond that, however, I see a flaw.

If I recall correctly, it was the experience of Cygnus that most patches
supplied were undesirable, in that they tended to point the way toward the
right solution but were not themselves the right solution. I have a vague
recollection that Mike or John Gilmore tols me at one point that there were
only 10 or 15 outside people whose patches they found could routinely just
be applied. This leads me to wonder what quality level the bug bounty could
generate.

I therefore think further tinkering in the payment model is likely to be
needed. One possibility is for the vetting party to be able to say "Bob has
supplied a fix. It's a workaround, but it's not the right workaround because
of X, Y, Z. We're going to award Bob 20%, but we're not going to endorse the
change as an official change."


shap