Subject: Re: Bug Bounties. Making $ from bugzilla.
From: Ian Lance Taylor <ian@airs.com>
Date: 25 Nov 2001 11:10:54 -0800

"Jonathan S. Shapiro" <shap@eros-os.org> writes:

> If I recall correctly, it was the experience of Cygnus that most patches
> supplied were undesirable, in that they tended to point the way toward the
> right solution but were not themselves the right solution. I have a vague
> recollection that Mike or John Gilmore tols me at one point that there were
> only 10 or 15 outside people whose patches they found could routinely just
> be applied. This leads me to wonder what quality level the bug bounty could
> generate.

That is true, except that when I was at Cygnus there weren't even as
many as 10 or 15 outside people who submitted high quality patches.
There were maybe 5.

This was in part due to the nature of the programs at Cygnus:
primarily compilers and debuggers.  They are not projects which lend
themselves to splitting up comprehension among a large number of
people.  For example, you can write an Emacs lisp program which adds a
useful feature without understanding many other Emacs lisp programs.
But when working on a compiler or debugger, you pretty much do have to
understand the full array of data structures and interdependencies.
You can split based on processor, and you can split on front end
vs. back end, but the chunks you are left with are large.

The problem I see with payment for bug fix is that the amount that
people are willing to pay is generally much less than the cost of
fixing the bug.  $20 buys 30 minutes of my time.  People who are
willing to pay the real amount it costs to fix a bug probably aren't
willing to pay it to some random person; they would prefer to pay it
to somebody whom they trust, somebody with whom they have a
contractual arrangement, somebody who will provide future support for
the fix.

Ian