Subject: Re: Bug Bounties. Making $ from bugzilla.
From: burton@openprivacy.org (Kevin A. Burton)
Date: 25 Nov 2001 15:55:17 -0800

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Ian Lance Taylor <ian@airs.com> writes:

> burton@openprivacy.org (Kevin A. Burton) writes:
> 
> > > If they are an expert on that software, mightn't they be the ones that are
> > > doing the fixing?  That would create a conflict of interest.
> > <snip>
> > 
> > I am confused by this last sentence.  I wouldn't have a problem with an expert
> > getting paid to fix bugs.
> 
> If I am an expert in the software, I insert a set of bugs into a release, and
> I prepare patches in advance.  Then I wait for people to offer money to fix
> them, and I release the patches.

HA!   Funny.

True.  But I think that no self respecting software engineer would do this.

Good threat model though :)

It certainly is an issue and I think we should document it.

In a real software project, with multiple developers, anyone who would commit a
bug like this would get kicked out....  Assuming they weren't, their reputation
would at least go down.

Also, if this trolling/astroturfing behavior is observed, you reputation would
go down a LOT more than usual screw ups.

> People used to routinely argue that Cygnus had a strong incentive to do this.
> They were wrong, for two reasons: 1) we didn't have to intentionally insert
> extra bugs; we inserted plenty by mistake; 2) our real competitors were not
> other free software support shops, but other companies which provided
> alternative embedded development tools, so if we shipped a buggy product,
> people would switch away from free software and we would get no repeat
> business.
> 
> In the bug bounty system, reason 1 still exists, but reason 2 does
> not.

Kevin


- -- 
Kevin A. Burton ( burton@apache.org, burton@openprivacy.org, burtonator@acm.org )
             Location - San Francisco, CA, Cell - 415.595.9965
        Jabber - burtonator@jabber.org,  Web - http://relativity.yi.org/

The secret to creativity is knowing how to hide your sources.
  -Albert Einstein
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: Get my public key at: http://relativity.yi.org/pgpkey.txt

iD8DBQE8AYR1AwM6xb2dfE0RAhyQAJ9rJxtPZp6eu+70IiDJwriDKNLl7QCdFWbs
dntbdOQDjG0tJIsbWhWAHJo=
=lwb+
-----END PGP SIGNATURE-----